WordPress and Joomla are becoming popular for attackers to target sites on these platforms for hacking and injecting malicious content.
Over the past few weeks, Zscaler’s ThreatLabZ researchers detected several WordPress and Joomla sites serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages.
The most well-known threats to the content management system (CMS) sites are the result of vulnerabilities introduced by plugins, themes, and extensions.
Along those lines, Shade/Troldesh ransomware and phishing pages were the focus of Zscaler research last month on several hundred compromised CMS sites.
Shade ransomware has been active and the security firm been seeing compromised WordPress and Joomla sites being used to spread the ransomware, said Mohd Sadique, a researcher at Zscaler in a post.
“The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites may have outdated CMS plugins/themes or server-side software which potentially could also be the reason for the compromise,” Sadique said.
“During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware payloads (13.6 percent) and phishing pages (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors,” he said.
Attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.
The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain, Sadique said. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain.
The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site, Sadique said.