An ongoing malvertising campaign is targeting an unauthenticated stored cross-site scripting (XSS) vulnerability in the Coming Soon Page & Maintenance Mode WordPress plugin according to Wordfence's Defiant Threat Intelligence team.
The malvertising campaign detected by Wordfence causes compromised WordPress sites "to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads."
On each payload execution, the targets will be automatically redirected to a second domain that sends them to a third destination URL based on the type of device the visitor uses by checking the browser's User-Agent string, with a cookie also used to track returning victims.
"The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt direct malicious activity against the user’s browser," found Wordfence.
"Once everything has triggered, the victim’s browser will open a selected address in a new tab the next time they click or tap the page," adds Wordfence.
The XSS injection attacks launched by the threat actors operating this campaign are originating from IP addresses connected to popular hosting providers, obfuscated PHP shells with limited functionality being employed by the attackers to launch XSS attacks by proxy via arbitrary commands.
Attackers are "using a small array of compromised sites to perform these attacks in order to conceal the source of their activities" and they will most likely "leverage any similar XSS vulnerabilities that may be disclosed in the near future," Wordfence concludes.
More details on the inner workings of these attacks, as well as indicators of compromised (IOCs) including malware hashes, domains, and attacking IP addresses, are provided by the Defiant Threat Intelligence team at the end of their malvertising campaign report.
This is not a novel campaign, with similar campaigns exploiting vulnerabilities in the Social Warfare, Yellow Pencil Visual Theme Customizer, Easy WP SMTP, and Yuzo Related Posts plugins installed on tens of thousands of WordPress sites.
In the case of those attacks, the exploits were also using malicious scripts hosted on an attacker-controlled domain, with the same bad actor being behind all four campaigns.
In December 2018, a large botnet consisting of over 20,000 WordPress sites was used to attack and infect other WordPress websites which were also added to the botnet once compromised.
The botnet was used by its operators to brute force the logins of other WordPress sites, with over 5 million authentication brute-force attempts being blocked and over 14,000 proxy servers used to anonymize their C2 commands being detected during the attacks.