Wordfence experts report that attackers have come up with a new way to compromise WordPress sites. The attackers use poorly secured WordPress.com accounts. They done it with the help of Jetpack plugin that install backdoor plugins on various sites.
In the first stage of the attack, hackers brute-force a username and password. Various large databases of leaks are the source of credentials. These leaks are suitable for the WordPress.com account. Since the problem of password reuse is still one of the main weaknesses of users. There is no shortage of such accounts for attackers.
It is worth noting here that, to manage blogs hosted on the Automatic platform they primarily used WordPress.com accounts . That is the reason they are different from WordPress.org accounts or the administrative accounts of individual WordPress CMS sites.
However, a few years ago, the developers of Automatic presented the open source analytical plugin Jetpack to the public. It was based on the version that on WordPress.com. Now the open source version of this plugin is overgrown. Administrators of stand-alone WordPress sites widely used its has useful features.
One of the features of the Jetpack plugin is the ability to establish a link between an individual WordPress site and a WordPress.com account. Webmasters used Jetpack dashboard (directly from within WordPress.com) . Different people manage hundreds of WordPress sites at the same time from one location. To do this, you need to install Jetpack on every site.However, WordPress.com offers the option to install Jetpack directly from its dashboard. Moreover, the plugin does not even have to be hosted in the official WordPress.org repository. It gave attackers the ability to upload an arbitrary ZIP file containing malicious code to websites.
The exact amount of affected resources is unknown.The researchers note that even detecting such an attack is very difficult. The fact is that malicious plugins are visible in the WordPress.com dashboard. These are “invisible” in the list of plugins on the affected sites themselves. As a result, experts urge site owners who also have WordPress.com accounts to check the list of installed plugins.If necessary, remove malicious solutions, change passwords and enable two-factor authentication.