WordPress logo

Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains.

Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four group of attackers defaced over 67,000 pages.

The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war.

Mass defacements started this week

The vulnerability at the core of these series of attacks is a bug discovered by Sucuri researchers, which the WordPress team fixed with the release of WordPress 4.7.2, on January 26.

According to Sucuri, attackers can craft simple HTTP requests that allow them to bypass authentification systems and edit the titles and content of WordPress pages. This vulnerability only affects sites running on WordPress version 4.7.0 and 4.7.1.

Initially, the vulnerability was deemed of a very high-risk, and the WordPress security team kept it a secret for almost a week, allowing a large number of WordPress site owners to update their CMS without being in peril from impending attacks.

Nonetheless, WordPress and Sucuri experts realized they couldn't keep this a secret, and after a week, both teams revealed to the world that the WordPress 4.7.2 release included a secret fix for the WordPress REST API.

Sucuri's initial fears became reality a few days later, as both Sucuri and WordFence started seeing attacks leveraging the REST API flaw against sites the two were protecting.

Defacement attempts via REST API flaw over time
Defacement attempts via REST API flaw over time (via Sucuri)
Defacement attempts via REST API flaw over time
Defacement attempts via REST API flaw over time (via WordFence)

As time passed by, the number of attacks against the REST API flaw grew in numbers, and it became clear for both companies that attackers had discovered how to exploit the flaw on sites that were left without an update, although nobody expected this sharp rise in hacked pages in such a short time.

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said Mark Maunder, Wordfence Founder and CEO. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

Hacking groups engaging in recent WordPress defacements
Hacking groups engaging in recent WordPress defacements

In reality, the number of attacks is way higher, if we take into account that not all sites are protected by WordFence and Sucuri firewalls.

WordPress REST API flaw at the heart of recent defacement attacks

According to Maunder, the REST API flaw blew new life into the activity of many defacers, a term used to describe hackers that take over websites and rewrite the content of pages.

Based on Google Trends data that took into consideration the signature (name) of each of these hacking crews, we can see sharp increases in popularity and mentions for various groups, right after Sucuri revealed the REST API flaw in a blog post at the start of February.

WordPress REST API attacks reflected in Google Trends
WordPress REST API attacks reflected in Google Trends (via WordFence)

Most of the defaced sites are easily reachable via a Google query, just by searching the hacking group's name. All defacements are just a simple image or some text, but Sucuri CTO Daniel Cid believes these will change in the future after more capable SEO spamming groups get involved.

Defaced websites indexed by Google
Defaced websites indexed by Google

At the time of writing, there's a feeding frenzy in regards to defacing unpatched WordPress sites, with many groups rewriting each other's defacement message.

We've seen a similar behavior involving recent database ransom attacks targeting MongoDB servers, where different groups were rewriting each other's ransom notes.

Over the weekend, Google also warned WordPress website owners registered in the Google Search Console. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners, but some emails reached WordPress 4.7.2 owners, some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.