BitNinja has taken steps to protect WordPress websites from a new type of cyberthreat that targets these sites and causes extensive damage to their files. This malware preys on vulnerabilities in these sites, and it has the potential to expose sensitive information, bring down services, and cause widespread harm.
(https://bitninja.com/wp-content/uploads/2024/02/wordpress-vulnerabilites-defense-bitninja.png)
The malware under review by BitNinja consists of three key functions, including the write() function, which grabs content from two encrypted URLs and inserts it into various files within a WordPress site. The malware also has a get() function that retrieves content from a designated URL using either the file_get_contents() function or the cURL library and an is_https() function that checks whether the current request uses HTTPS.
What's interesting about this malware is that, despite its potential to cause damage, BitNinja has been guarding against it since 2021 using the PHP.Snippet.Backdoor.WPHTAccess signature. In fact, the number of cases of this malware has decreased steadily over time as measures have been taken to catch and prevent it. So, WordPress sites can rest assured that they are in good hands with BitNinja protecting them.
The script begins by disabling error reporting, and then declares several variables, including a base64-encoded domain name in the variable "$go_domain", the first 4 characters of the HTTP_ACCEPT_LANGUAGE header in the variable "$language", and the IP address of the user in the variable "$userip". Other variables include "$userrefer", which holds the value of the user's HTTP_REFERER header, "$useragent", which contains the user's HTTP_USER_AGENT header, and "$http", which specifies the protocol being used.
The script also creates a URL called "$index_url" that seems to be linked to "$go_domain" and incorporates other variables such as host, request URI, and user IP.
If the "ac" GET parameter has a value of "write", the script invokes a function named "write" and passes the "index.php" parameter to it.
Using preg_match, the script then checks whether the URI ends with "writerobots". If so, it sends a request to the "$index_url" address, receives the response body, decodes it using base64_decode, and writes the decoded content to the "robots.txt" file.
If the URI ends with "pingsitemap.xml", the script sends a similar request, but expects the response body to contain multiple sitemap URLs separated by "@@@".
The script then loops through each URL, sends a request to the Google sitemap ping URL address, and checks whether the response body includes the string "Sitemap Notification Received". If so, the message "Submitting Google Sitemap [sitemap URL] : OK!" is displayed; otherwise, the message "Submitting Google Sitemap [sitemap URL] : ERROR!" is output.
If the URI ends with ".xml", the script sends a request to the "$index_url" address and receives the response body. The content-type is set to text/xml, some placeholders are replaced with the current date, and then the response body is output after being trimmed.
Cybersecurity experts have discovered a new vulnerability in the Epsilon Framework platform, which is used by websites running the WordPress system. This issue potentially puts tens of thousands of .ru zone websites at risk, making them attractive targets for attackers looking to exploit this vulnerability.
According to Wordfence experts, hackers from 18,000 IP addresses have launched over 7.5 million attacks on more than 1.5 million sites running WordPress and using Epsilon Framework. So far, these attacks have been similar to probing the ground, but they could potentially allow attackers to take control of vulnerable sites.
To reduce the likelihood of an attack, experts recommend that site owners update their themes to the latest version. However, not all site owners update these plugins in a timely manner, leaving sites vulnerable to exploitation.
WordPress is a popular site content management system (CMS) used by about 35% of all websites worldwide. It is especially popular in the .ru domain zone, where around 5 million sites work, with approximately 1 million sites running on WordPress.
Hackers are interested in WordPress because it is widely used and has many known vulnerabilities that can be exploited with malicious code. In response, cybersecurity experts recommend monitoring updates closely and using application-level firewalls for preventive protection.
While vulnerabilities in plugins for WordPress or other CMS pose serious problems for users and site owners, the popularity of WordPress means it is likely to remain a favorite among enthusiasts despite its risks. However, the targeting of the attack on the themes of this system automatically narrows the range of possibilities of attackers, providing some reassurance to those concerned about cybersecurity.
BitNinja is a powerful security platform specifically designed to protect WordPress-powered websites from a wide range of malicious attacks. Here's how it works:
1. Multi-layered Protection:
- BitNinja employs a comprehensive, multi-layered approach to security, utilizing a variety of detection and prevention techniques to tackle different types of threats.
- It combines real-time threat intelligence, machine learning algorithms, and expert-curated rules to identify and block malicious activities before they can compromise the WordPress site.
2. WordPress-specific Security:
- BitNinja is tailored to the unique requirements of WordPress, providing specialized security measures to address the common vulnerabilities and attack vectors targeting WordPress sites.
- It monitors and secures the core WordPress files, plugins, and themes, ensuring that any unauthorized modifications or suspicious activities are promptly detected and mitigated.
3. Malware Detection and Removal:
- BitNinja's advanced malware scanning and removal capabilities are a critical component of its protection. It can identify and remove a wide range of malware infections, including viruses, trojans, backdoors, and other malicious payloads.
- The platform integrates with leading malware databases and constantly updates its signatures to stay ahead of the latest threats.
4. Brute-force Attack Prevention:
- One of the most common attacks targeting WordPress sites is brute-force attempts to gain unauthorized access. BitNinja implements robust brute-force protection, effectively blocking these attacks and safeguarding the WordPress admin panel.
- It uses intelligent algorithms to detect and prevent suspicious login attempts, limiting the impact of such attacks.
5. Firewall and Traffic Monitoring:
- BitNinja's built-in firewall monitors and analyzes incoming and outgoing traffic to the WordPress site, identifying and blocking any suspicious or malicious activity.
- The platform's traffic monitoring capabilities provide valuable insights into the website's security posture, allowing administrators to proactively address any potential vulnerabilities or anomalies.
6. Automatic Updates and Backups:
- To ensure the WordPress site remains up-to-date and secure, BitNinja can automatically update the core WordPress installation, plugins, and themes.
- Additionally, it can facilitate regular backups of the WordPress site, enabling easy restoration in the event of a successful attack or other data loss scenarios.
7. Compliance and Regulations:
- BitNinja helps WordPress site owners stay compliant with various security standards and regulations, such as PCI DSS, GDPR, and HIPAA, by implementing the necessary security controls and safeguards.
- This ensures that the WordPress site meets the required security and privacy requirements, reducing the risk of costly fines and reputational damage.