Hackers Exploit Litespeed Plugin Flaw To Create Rogue Admin Accounts
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
WordPress plugins make WordPress more useful, but most have flaws that hackers may try to exploit to get unauthorized entry or introduce malicious code.
The popularity and widespread use of common plugins make them an easier target for attackers.
Similarly, out-of-date or neglected plugins with unfixed vulnerabilities tend to offer vulnerable entry points that even a less skilled threat actor could take.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Hackers can do many things, such as distribute malware, carry out website defacements, or manipulate plugins to use compromised sites for future attacks.
Recently, cybersecurity analysts at WPScan discovered that hackers have been actively exploiting the Litespeed plugin flaw to create rogue admin accounts.
Hackers Exploit Litespeed Plugin Flaw
If you’ve discovered the ‘wpsupp-user’ admin user on your site, it indicates this latest malware campaign has impacted your website.
.webp)
Critical WordPress file (Source – WPScan)
Malicious code is injected into critical WordPress files or the database by exploiting vulnerabilities in outdated LiteSpeed Cache versions.
.webp)
Vulnerable version of LiteSpeed Cache (Source – WPScan)
Here below is the decoded version:-
.webp)
Decoded version (Source – WPScan)
To identify the malicious URLs and IPs make sure to lookout for malicious URLs like “https[:]//dns.startservicefounds.com/service/f.php,” “https[:]//api.startservicefounds.com,” “https[:]//cache.cloudswiftcdn.com” and the IP “45.150.67.235” associated with this malware campaign.
The decoded malicious JavaScript often creates rogue admin users such as ‘wpsupp-user’ on the sites that were compromised.
Risks are posed by injecting a malicious script into vulnerable LiteSpeed plugin versions (https[:]//wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4) exploited by attackers.
WPScan’s WAF logs showed that on April 27 and 2, there were some unusual spikes in access to this URL, which may suggest vulnerability scanning from IPs 94.102.51.144 (1,232,810 requests) and 31.43.191.220 (70,472 requests), and targeting of weak sites as well as those that are likely susceptible to cyber attacks.
Recommendations
Here below we have mentioned all the recommendations:-
#Cyber_Security #Vulnerability #Wordpress #cyber_security #cyber_security_news #Litespeed_Plugin #wordpress
Оригинальная версия на сайте:
Hackers Exploit Litespeed Plugin Flaw To Create Rogue Admin Accounts
Author: Tushar Subhra DuttaWordPress plugins make WordPress more useful, but most have flaws that hackers may try to exploit to get unauthorized entry or introduce malicious code.
The popularity and widespread use of common plugins make them an easier target for attackers.
Similarly, out-of-date or neglected plugins with unfixed vulnerabilities tend to offer vulnerable entry points that even a less skilled threat actor could take.
📁🄳🄾🄲🅄🄼🄴🄽🅃
Hackers can do many things, such as distribute malware, carry out website defacements, or manipulate plugins to use compromised sites for future attacks.
Recently, cybersecurity analysts at WPScan discovered that hackers have been actively exploiting the Litespeed plugin flaw to create rogue admin accounts.
Hackers Exploit Litespeed Plugin Flaw
If you’ve discovered the ‘wpsupp-user’ admin user on your site, it indicates this latest malware campaign has impacted your website.
Critical WordPress file (Source – WPScan)Malicious code is injected into critical WordPress files or the database by exploiting vulnerabilities in outdated LiteSpeed Cache versions.
Vulnerable version of LiteSpeed Cache (Source – WPScan)Here below is the decoded version:-
Decoded version (Source – WPScan)To identify the malicious URLs and IPs make sure to lookout for malicious URLs like “https[:]//dns.startservicefounds.com/service/f.php,” “https[:]//api.startservicefounds.com,” “https[:]//cache.cloudswiftcdn.com” and the IP “45.150.67.235” associated with this malware campaign.
The decoded malicious JavaScript often creates rogue admin users such as ‘wpsupp-user’ on the sites that were compromised.
Risks are posed by injecting a malicious script into vulnerable LiteSpeed plugin versions (https[:]//wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4) exploited by attackers.
WPScan’s WAF logs showed that on April 27 and 2, there were some unusual spikes in access to this URL, which may suggest vulnerability scanning from IPs 94.102.51.144 (1,232,810 requests) and 31.43.191.220 (70,472 requests), and targeting of weak sites as well as those that are likely susceptible to cyber attacks.
Recommendations
Here below we have mentioned all the recommendations:-
- Make sure to audit plugins, update them, and remove any suspicious plugin directories.
- Identify and remove rogue admin users like “wpsupp-user” and “wp-configuser.”
#Cyber_Security #Vulnerability #Wordpress #cyber_security #cyber_security_news #Litespeed_Plugin #wordpress
Оригинальная версия на сайте:
