While everyone was worrying about the holiday influx of POS malware, a cybercriminal group quietly exploited a plug-in vulnerability with the mysterious SoakSoak malware and infected at least 100,000 sites utilizing WordPress’s content management system.
Researchers with security firm Sucuri discovered the malware campaign in mid-December, noting that it leveraged a flaw within a Slider Revolution plug-in that was originally disclosed in early September. The SoakSoak attack causes sites infected with the malware to load highly obfuscated malicious code on every webpage that includes the RevSlider plug-in, causing pages to download the payload from a Russian domain. Once it gains access, the malware uploads a backdoor and infects all other sites that share the same server account.
Malware hiding in bundled WordPress themes
Sucuri analysts noted in a blog post about the attack that part of what makes the malware so dangerous is many administrators don’t know they’re using the plug-in and therefore won’t take steps to protect their site against an attack.
“The biggest issue is that the RevSlider plug-in is a premium plug-in, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner,” Sucuri stated in a blog post. “Some website owners don’t even know they have it as it’s been packaged and bundled into their themes. We’re currently remediating thousands of sites and when engaging with our clients many had no idea the plug-in was even within their environment.”
Researchers have said that multiple files related to the SoakSoak malware have been seen in the wild. So far three separate files have been used to further the malicious campaign. The attacks target Firefox and the most recent version of Internet Explorer, suggesting that there is a zero-day vulnerability being exploited on these browsers. According to Threatpost contributor Chris Brook, the site the malware is being pulled from is currently offline, signaling the fact that the malicious actors behind the attacks may not have been prepared for such an effective campaign.
Campaign hoping for widespread infections
More than 70 million sites currently run on WordPress, and RevSlider is one of the site’s most popular plug-ins, so the official number of pages infected with the SoakSoak malware will likely continue to increase in the coming days. In order to remove the malware from an exploited system, administrators must delete the related files and update the plug-in to the newest version that includes a patch.
Security analysts have yet to determine what the motive behind the malware campaign is, but theft of sensitive data and financial gain are likely reasons. Enterprises all over the world are being increasingly targeted by cyber criminals, but companies in the U.S. appear to have taken the brunt of the attacks. These hacks are becoming more damaging and resulting in the loss of millions of dollars. According to a recent report published by PricewaterhouseCoopers, a large enterprise loses an average of $5.9 million as a result of a data breach.
Protecting enterprise networks against data breaches
In a recent blog post, Trend Micro researcher Bob Corson suggested three steps companies can take to more effectively defend against malicious actors. First, it’s important to understand the information cyber criminals are likely to target and how they’ll attempt to leverage it. This will provide an objective view of data assets and enable organizations to offer sufficient protection to the most vulnerable files. Second, companies need to operate on the idea that a breach will happen eventually. Accepting this will encourage IT decision-makers to employ more comprehensive security solutions and not just programs designed for specific purposes.
Finally, enterprises need to establish broader network detection to identify early warning signs of a breach. As more mobile devices are added to enterprise networks and endpoints grow more numerous, malicious actors are provided multiple ways through which to gain access to sensitive systems and information. Trend Micro researchers call protecting all endpoints on a network 360 degrees of detection and it is a necessary step for sufficient security. Being able to detect network exploits, advanced malware or suspicious behavior that may suggest a hack is critical to the cyber health of a business.