Security researchers have detected a major attack campaign targeting WordPress sites. The objective of this campaign: to detect sites where the Kaswara Modern WPBakery Page Builder extension is used. Within days, there were over 1.6 million sites scanned.
Cybercriminals are looking for websites that use the extension Kaswara Modern WPBakery Page Builderabandoned by its author following the discovery of a critical security flaw tracked down with the identifier CVE-2021-24284. This vulnerability is not new since its discovery dates back to May 14, 2021.
Why is this vulnerability of such interest to hackers? Thanks to her, an attacker can inject malicious JavaScript code on a site that uses this extension (regardless of the version) with the aim of uploading files, deleting them, and thus ultimately taking full control of the compromised site. When a file is uploaded by exploiting this vulnerability, it ends up in the “wp-content/uploads/kaswara/fonts_icon” and hackers typically use the following names in connection with this campaign: “inject.zip”, “king_zip.zip”, “null.zip”, “plugin.zip”, and “***_young.zip”.
According to telemetry information from the Wordfence protection solution, hackers have scanned over 1.6 million sites since the start of this campaign and only a small portion of the sites were vulnerable. Still according to data from Wordfence, there are about 500,000 sites scanned per day so at this rate, sites where this plugin is present will be detected at some point.
As for the origin of the attacks, the source IP addresses are very numerous: 10,215 distinct IP addresses, nowadays. As the ranking below shows, some IP addresses are much more active than others. These “Top 10” IP addresses can be blocked by CrowdSec if you are using a WordPress site.
The Kaswara Modern WPBakery Page Builder extension is no longer maintained, there is no other solution than to remove the extension from your site to protect yourself. Be careful, this does not apply to the “WPBakery Page Builder for WordPress” extension itself.
Source