Mailgun’s WordPress Website Hacked
Mailgun’s WordPress website has been hit by a spray-and-pray hacking campaign, as part of the massive attack on WordPress websites.
Mailgun, email automation, and delivery service providers have been targeted by this attack, which is part of the coordinated attacks on WordPress websites exploiting a plugin-related vulnerability.
ZDNet reports, “Email automation and delivery service Mailgun was one of the many companies that have been hacked today as part of a massive coordinated attack against WordPress sites…The attacks exploited unpatched cross-site scripting (XSS) vulnerability in a WordPress plugin named Yuzo Related Posts.”
The ZDNet report also explains how the vulnerability is exploited; it says, “The vulnerability allowed hackers to inject code in vulnerable sites, which they later used to redirect incoming visitors to all sorts of nasties, such as tech support scams, sites peddling malware-laced software updates, or plain ol’ spammy pages showing ads.”
Reports say that many other website owners too have been attacked in similar ways, obviously exploiting the same vulnerability. Many website owners have reported similar issues on the WordPress.org support forum for the plugin and also on other web-dev discussion forums.
ZDNet points out that the massive hacking campaign targeting WordPress websites was, in fact, avoidable. ZDNet security reporter Catalin Cimpanu, in his report dated April 10, 2019, observes, “Today’s massive hacking campaign could have been avoided if only the web developer who found the Yuzo Related Posts plugin vulnerability would have reported the issue to its author instead of publishing proof-of-concept code online.”
After the researcher dropped the zero-day exploit online, the plugin had to be removed from the official WordPress Plugins repository on the same day itself so as to prevent further downloads until a patch for the vulnerability was made available. But this move was not enough to prevent attacks as the plugin remained in many websites around the world. WordPress.org statistics say that when the plugin was removed, it was already installed on over 60,000 websites across the world. Now, with the attacks happening on a massive scale and things getting nasty, the plugin’s author, in the early hours of the attacks, called on users to remove the plugin immediately from their websites and refrain from using it until an update was available.
Researchers feel that there is a group that’s targeting WordPress websites. Security researchers at Defiant, the leading WordPress Security firm, point out that the current attacks seem to be launched by the same group that exploited two zero-days in two other WordPress plugins (Social Warfare and Easy WP SMTP) recently.
Defiant researcher Dan Moen writes, “Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP…Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was used in the Social Warfare and Easy WP SMTP campaigns. In addition, all three campaigns involved the exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects. We are confident that the tactics, techniques, and procedures (TTPs) in all three attacks point to a common threat actor.”
Other security researchers, like those at Sucuri, too have made similar observations connecting the current attacks to the previous ones.
Mailgun has reportedly removed the plugin within two hours of detecting the issue and the website is now safe for use. Mailgun applications, including the Mailgun Dashboard, customer data, APIs, etc were reportedly not impacted by the issue.