The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly.
Jetpack is one of the most popular plugins in the WordPress repository, and it has a dizzying array of features that require users to connect their sites to a WordPress.com account. One of these features allows users that are logged in to WordPress.com to perform administrative tasks, including plugin installation, on sites that are connected to WordPress.com via Jetpack.
Unfortunately this means that if the credentials for a WordPress.com account are compromised, an attacker can login to that WordPress.com account and install arbitrary plugins on the connected WordPress site no matter where it is hosted. This includes the malicious plugin used in this campaign. We’ve written about this intrusion vector in the past, and it is regaining popularity due to a number of recent data breaches from other services.
To clarify, no data breach has occurred at WordPress.com itself. However, password reuse is incredibly common, and credentials obtained from recent data breaches are likely to grant access to a number of WordPress.com user accounts. Additionally, although it is possible to configure Jetpack to allow direct login to a site via WordPress.com credentials, this setting does not need to be enabled in order for a site to be vulnerable. All that is required is that a site be connected to a WordPress.com account that has compromised credentials.
What should I do?
If you use Jetpack, you should turn on 2-Factor authentication at WordPress.com. While we strongly recommend using a mobile app or security key for this, even SMS-based 2-Factor authentication is significantly more secure than relying on passwords alone.
If you use the same password for your WordPress.com account that you’ve used for any other service, change your WordPress.com password immediately.
If your site has been compromised, we’ve published a guide that is useful to help you clean your WordPress site with Wordfence. Restoring from a recent backup can definitely be an option if you can identify the last known clean backup. Reviewing your log files can help.
If you’d like support in restoring your site to functionality, our Site Cleaning team can help. All Wordfence site cleaning customers receive a Wordfence Premium license key to protect the site going forward as well as a one-year guarantee. If the site is compromised again after recommendations are followed, we’ll clean it again for free.
Indicators of Compromise
The majority of infections we’ve seen have the following plugin and filenames:
The most common MD5 hashes associated with this campaign are:
These malicious plugins check to see if the site visitor is on the login page, or if they are logged in as an administrator. Any visitor that doesn’t meet these criteria will then be redirected to one of several dozen malicious punycode domains.
We have listed the domains associated with the most prevalent variant:
In today’s article, we covered a malware campaign targeting sites connected to WordPress.com via the JetPack plugin. As this campaign depends on compromised WordPress.com credentials, it is not possible to block this type of attack directly, but that doesn’t mean there’s nothing you can do.
At this time we recommend that all site owners using the Jetpack plugin enable 2-factor authentication for their WordPress.com accounts, and change their WordPress.com passwords if they are using a password that has been used for any other service. If you do not actively use Jetpack, you should disconnect your site from WordPress.com or deactivate the Jetpack plugin.
Special thanks to Security Analyst Charles Sweethill for tracking this issue and assisting with the article.