Hacker Groups Defaced Over 68,000 Websites Running On WordPress 4.7.1 Or Less

Cyber Attack, What the Hack

Four hacking groups have launched campaigns to hack and deface websites running on WordPress version 4.7 or 4.7.1. The hackers have already defaced roughly 68,000 websites exploiting the WordPress REST API Vulnerability.

Fig: Defaced Website

The hackers are exploiting the WordPress REST API Vulnerability which allows a remote attacker to craft an HTTP request that pings a REST API endpoint and alters titles and content on the user’s website.

The vulnerability has been public for less than a week and is now being actively exploited. Currently, the groups using the REST API flaw to deface websites with messages like “Hacked by NG689Skw” or “Hacked by w4l3XzY3” or similar. Out of four hacker groups, the group operating with pseudonym w4l3XzY3 has been more vocal, infecting around 66,000 websites.

Fig: Hacker groups and their associated IPs

26th of January, WordPress had released its version 4.7.2 to fix four different vulnerabilities including the one being exploited in the campaign. However, then WordPress kept the vulnerability secret and published public details the last Monday.

Since the vulnerability became public the attacks have been slowly growing, reaching almost 3,000 defacement per day.

Fig: Defacement attempts via REST API flaw over time

“We intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites,” said WordPress Security Team Lead in an statement.

According to web security firm Sucuri, who detected the attacks, in less than 48 hours after the vulnerability was disclosed, multiple public exploits had been shared and posted online.

For website owners, WordPress advises updating to WordPress 4.7.2 as soon as possible.