WordPress and Joomla exploits have existed for years, and cybercriminals have thus been exploiting them for a long time. Yet the situation may have gotten slightly more serious as of late, as there appears to be a bulk exploit tool being used in the wild, targeting sites running both popular content management systems, and having them serve up fake antivirus malware to visitors.
The Sans Institute says it has received reports of multiple exploit attempts on the platforms. The compromised sites are further injected with code which redirects to a third-party sites that in turn serve up the malware.
Fake antivirus threats display a fraudulent scanning result to intimidate users into “purchasing” the fake antivirus program. The Fake AV malware family is being pushed in this case, which features variants for Windows XP, Windows Vista, Windows 7, and even Windows 8.
Sans believes the attacks appear to be attempting to exploit WordPress and Joomla sites en masse, possibly using some kind of new tool created by cybercriminals:
The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits. Right now it seems the biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don’t tend to break your website).
In other words, if you use WordPress or Joomla, get on the latest version as soon as possible. It’s unclear how widespread this attack is, but there is no excuse for using an insecure release of your content management system.
We have contacted both WordPress and Joomla. We will update this article if we hear back.
Update on December 13: Joomla has issued a statement.
To help protect against the type of attacks mentioned in this article, it is important for site administrators to ensure that both their core content management system as well as any installed extensions are kept current. Often when a Joomla site is compromised, the attack vector is a known vulnerability of an out-of-date extension. This can be easily prevented simply by keeping the site up to date.
Joomla has included a one-click update feature since January 2011 (version 1.6) for the Joomla core and Joomla extensions. This feature automatically notifies the site’s administrator whenever an update is available, and any updates can be completed with a simple mouse click. This makes it easy for Joomla users to stay up to date with the current version of Joomla’s core and installed extensions and be better protected against the type of attacks mentioned in this article.
WordPress did not reply.
Image credit: OGGHOO