The Wordfence Threat Intelligence team has been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023.
The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8. This makes it an appealing target, and this attack campaign confirms our original coverage of the vulnerability that predicted large-scale attacks.
All Wordfence users, including Wordfence free users, have been protected against this vulnerability since April 22, 2023 via a Firewall rule we developed to block exploit attempts. Wordfence Premium, Care, and Response sites received protection even earlier, on March 23, 2023. Versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin are vulnerable.
Readers can continue watching this and other trends on the Wordfence Intelligence dashboard, where it is currently the most heavily-attacked unique WordPress vulnerability.
Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites. What’s particularly interesting is that we began seeing early warning signs several days before the main wave of attacks – an increase in plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.
A chart showing total requests by date looking for readme.txt files indicating that WooCommerce Payments is installed vs attacks targeting WooCommerce Payments directly. The readme requests are a clear leading indicator.
A chart showing total sites scanned for WooCommerce Payments readme.txt files vs total sites attacked by day.
This is the clearest example we’ve seen so far of the value of our early warning firewall rules. While not all scans enumerating readme.txt files are malicious, which is why we do not block them by default, an uptick in searches for a particular plugin slug generally indicates increased interest from threat actors.
Tactics, Techniques, and Procedures (TTPs)
The vast majority of actual attacks come from the following IP addresses:
194.169.175.93– 213,212 sites attacked2a10:cc45:100::5474:5a49:bfd6:2007– 90,157 sites attacked103.102.153.17– 27,346 sites attacked79.137.202.106– 14,799 sites attacked193.169.194.63– 14,619 sites attacked79.137.207.224– 14,509 sites attacked193.169.195.64– 13,491 sites attacked
By contrast, the readme.txt requests were distributed over thousands of IP addresses – while nearly 5,000 IP addresses sent both readme.txt requests and actual attacks, each IP address that sent a readme.txt request only attacked a few, if any sites, so these IP addresses are not likely to be as useful to defenders.
Common to all exploits targeting the WooCommerce Payments vulnerability is the following header which causes vulnerable sites to treat any additional payloads as coming from an administrative user:
X-Wcpay-Platform-Checkout-User: 1
Many of the requests we’ve seen using this appear to be attempting to use their new administrative privileges to install the WP Console plugin, which can be used by an administrator to execute code on a site:
Pictured: A request attempting to install the wp-console plugin
Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence:
Pictured: A request attempting to use the wp-console plugin to execute malicious code in order to place an uploader
The payload in this particular example has an MD5 hash of fb1fd5d5ac7128bf23378ef3e238baba when saved to the victim filesystem, and the Wordfence scanner has provided detection for it since at least July 2021:
Pictured: The malicious payload
We have also seen attackers creating malicious administrator users with randomized alphanumeric usernames such as ‘ac9edbbe’.
As such, if your site has a vulnerable version of the WooCommerce payments plugin installed, we strongly recommend checking for any unauthorized plugins or administrator users, as they may indicate that your site has been compromised.
Conclusion
In today’s article, we covered a number of tactics, techniques, and procedures used in a large-scale attack against sites running WooCommerce Payments. These attacks demonstrate significantly more sophistication than similar attacks we’ve seen in the past, including reconnaissance ahead of the main wave of attacks and multiple methods of maintaining persistence using functionality available to administrator-level users.
All Wordfence users, including Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response users are fully protected against these exploits. Additionally, the Wordfence scanner can help detect compromises even on sites that did not have Wordfence installed at the time of compromise.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected. Please help make the WordPress community aware of this issue.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.
Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for assistance with this article
The post Massive Targeted Exploit Campaign Against WooCommerce Payments Underway appeared first on Wordfence.
