Feb. 8, 2016 – posted
An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet.
In the last few days, malware researchers from Malwarebytes and other security firms have reported that a massive number of legit WordPress sites have somehow been compromised and are silently redirecting visitors to sites with the Nuclear Exploit Kit. It's not yet clear how the WordPress sites are getting infected, but it is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin.
"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."
5 Things To Do If You Run WordPress:
- Patch server operating systems.
- Patch WordPress.
- Get rid of as many WP plugins as possible and patch the current ones.
- Update all your WP instances at the same time to prevent cross-infections.
- Lock down all WP instances with a very strong password and the WP 2-factor authentication.
5 Things To Do To Protect Your End-Users:
- Keep workstation operating systems and 3rd party apps updated at all times.
- Backup your data and keep daily off-site backups. Regularly TEST, TEST, TEST if your restore function actually works. The latter is often overlooked.
- Provide end-users with the 64-bit version of Google Chrome if possible.
- Run the latest V5.5 of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) on workstations.
- Step all users through effective security awareness training.
Article posted on Feb. 8, 2016 by KnowBe4 company.