Wordfence reports about a recent surge in cross-site scripting (XSS) attacks targeting approximately 900,000 WordPress websites. The attacks peaked at 30 times the typical daily volume between April 28, 2020, and May 3, 2020, and they are based on the exploitation of known and already fixed vulnerabilities. Wordfence has recorded a large scale of launching points, with 24,000 distinct IP addresses being involved in this campaign. A common indicator of compromise in all cases would be the “hjt689ig9” or “trackstatisticsss” strings, while the most active IP addresses were “185.189.13.165,” “198.154.112.83,” and “89.179.243.3.”
The vulnerabilities that are being exploited right now are mainly the following:
As it becomes obvious from the above, defending against this large-scale campaign would be as easy as updating all of your WordPress themes and plugins while also removing those that are no longer supported by their authors. Sure, this could affect their functionality, break something on the site, or deprive you of features that are no longer available in the newest versions. Still, these drawbacks aren’t enough to make risking your site's security worth it.
The actors in this campaign are injecting a malicious PHP backdoor in the theme’s header file, then they plant JavaScript, and fetch additional payloads from “trackstatisticsss.” By doing this, they hope to gain full control over the website, change its contents, embed web shells, create new admin users, or simply delete the site. The JavaScript is rechecking if the WordPress website is infected every 6,400 seconds - and if it’s not, it attempts to reinfect it.