– The core reason for the compromise of WordPress and Joomla sites could be unpatched vulnerabilities and outdated plugins, themes, or extensions.
– Attackers are leveraging a well-known hidden directory present on the HTTPS site for storing and distributing Shade ransomware and phishing pages.
What is the issue – Researchers from ThreatLabZ have detected several compromised Content Management Sites (CMS) such as WordPress and Joomla that were serving Shade ransomware, backdoors, redirectors, and a variety of phishing pages.
Why it matters – Attackers are compromising CMS sites and are injecting malicious content.
Worth noting – The core reason for the compromise of WordPress and Joomla sites could be unpatched vulnerabilities and outdated plugins, themes, and extensions.
Researchers noted that the compromised WordPress sites are using versions 4.8.9 to 5.1.1 and are most likely to be using outdated CMS themes or server-side software.
The big picture
ThreatLabZ monitored the compromised HTTPS sites and noticed that attackers are leveraging a well-known hidden directory present on the HTTPS site for storing and distributing Shade ransomware and phishing pages.
“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain,” researchers described.
– The certificate authority will send a specific code for an HTML website that must be located in this particular directory.
– The CA will then scan for this code to validate the domain.
– Attackers use these locations to hide malware and phishing pages.
The technique is very effective because this directory is already present on most HTTPS sites and is hidden.
How attackers distribute the Shade ransomware?
– Attackers distribute Shade ransomware via malspam phishing campaign.
– The phishing emails disguised as an order update purport to come from a Russian organization.
– The emails include a ZIP attachment or a link to an HTML redirector page which downloads the ZIP file.
Which phishing pages are propogated?
Researchers detected spoofed phishing pages related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, etc hosted in the SSL-validated hidden directories.
Written By: Ryan Stewart
Ryan is a senior cybersecurity and privacy analyst. He keenly follows the innovation and development in cybersecurity technologies, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world.