Beware of Fake WordPress CVE-2023-45124 Phishing Scam
Attacks targeting WordPress websites have been reported from time to time. Most of them target plugin vulnerabilities to invade the website and implant malicious programs for control. A recent attack, on the other hand, was entirely different. Hackers took advantage of this and exploited it. To deceive administrators into installing backdoor plugins, they falsely declare that the WordPress website has vulnerabilities and require administrators to apply “patches” as soon as possible.
The security update plugin patch CVE-2023-45124 the hacker mentioned in the phishing email was a non-existent vulnerability. This scam was exposed because it did not provide any further details about the vulnerability. If the website administrators are unaware of that and fail to verify the credibility of the information, they will be taken to a fake WordPress website after they click the download button in the email. Once the administrators download and deploy the plugin provided by the hacker, the plugin will add a malicious administrator account with the username “wpsecuritypatch”. It then sends the site URL and generated password for this user back to a C2 domain: wpgate[.]zip. The plugin will hide the malicious administrator accounts, making it difficult for website administrators to detect their traces. Additionally, it downloads a separate backdoor from wpgate[.]zip and saves it with a filename of wp-autoload.php in the webroot. This separate backdoor includes a hardcoded password that includes a file manager, a SQL Client, a PHP Console, and a Command Line Terminal, in addition to displaying server environment information. This allows attackers to maintain persistence through multiple forms of access, granting them full control over the WordPress site as well as the web user account on the server.
Researchers analyzed the content of the malicious code and pointed out that the hackers can use the backdoor for subsequent attacks. Possible attacks include injecting advertisements on the website, redirecting users to malicious websites, launching DDoS attacks, stealing sensitive information, or allowing hackers to blackmail administrators.
If you receive this phishing email, do not click any links, including the Unsubscribe link, or install the plugin on your site. Always make sure the email is from a legitimate company before clicking any links. When in doubt, go directly to the source rather than clicking a potentially dangerous link.