Email automation and delivery service Mailgun was one of the many companies that have been hacked today as part of a massive coordinated attack against WordPress sites.
The vulnerability allowed hackers to inject code in vulnerable sites, which they later used to redirect incoming visitors to all sorts of nasties, such as tech support scams, sites peddling malware-laced software updates, or plain old spammy pages showing ads.
Some technical info – redirected to searchnotifyfriends dot info using a WordPress plugin. Large traffic spike to domain, from Cisco Umbrella data: pic.twitter.com/nzsC5WQK0r
— Kevin Beaumont 🧝🏽♀️ (@GossiTheDog) April 10, 2019
Mailgun was just one of the random victims of these attacks, but not the only one. Other site owners reported similar issues with their sites on the plugin’s support forum on WordPress.org [1, 2, 3], and on other web-dev discussion forums, such as StackOverflow.
Researcher dropped zero-day exploit online without warning
Today’s massive hacking campaign could have been avoided if only the web developer who found the Yuzo Related Posts plugin vulnerability would have reported the issue to its author instead of publishing proof-of-concept code online.
As a result of making this proof-of-concept code available for everyone, the plugin was removed from the official WordPress Plugins repository on the same day, preventing future downloads until a patch was to be made available.
However, this didn’t remove the plugin from all the sites around the world, which all remained vulnerable. At the time of its removal, the plugin had been already installed on more than 60,000 sites, according to official WordPress.org stats.
Things got so desperate today in the early hours of the attacks that the plugin’s author called on users to “remove this plugin immediately” from their sites until an update would be available.
There’s a group going after WordPress sites
According to Defiant, the company behind the WordPress firewall plugin, the hacking group behind today’s attacks is the same group that exploited two zero-days in two other plugins in previous weeks –namely in the Easy WP SMTP and Social Warfare plugins.
“Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53,” said Dan Moen, Defiant researcher. “That same IP address was used in the Social Warfare and Easy WP SMTP campaigns.”
The same connection between today’s campaign and the previous one targeting the two other plugins was also made by security researchers at Sucuri.
Mailgun did not reply to a request for comment before this article’s publication; however, the company removed the plugin and was back up and running within two hours of detecting the problem on its site.
“Our applications including the Mailgun Dashboard, APIs, and customer data stored on our platform were not impacted by this issue,” the company said in its status report page.