A easy operational mistake by a cybercrime group has given researchers an inside have a look at how large-scale web site compromises are carried out.
In response to analysis from SOCRadar, an internet-exposed server belonging to a risk group tracked as WP-SHELLSTORM remained publicly accessible for about three weeks.
“WP-SHELLSTORM is industrialized cybercrime made seen as a result of somebody left a Python SimpleHTTPServer listing open with out authentication for 22 days,” stated Jacob Krell, senior director, safe AI options and cybersecurity at SuzuLabs, in an electronic mail to eSecurityPlanet.
He added, “Many organizations nonetheless assess their exterior publicity solely when a significant Frequent Vulnerabilities and Exposures entry is revealed or throughout periodic vulnerability assessments.”
Key takeaways from the hack
- An uncovered WP-SHELLSTORM server revealed how attackers automated large-scale WordPress web site compromises utilizing identified vulnerabilities.
- The marketing campaign primarily focused outdated WordPress plugins and Joomla parts somewhat than counting on zero-day exploits.
- Greater than 1.4 million web sites appeared on attacker goal lists, however researchers confirmed that far fewer had been efficiently compromised.
- The uncovered infrastructure additionally uncovered an earlier marketing campaign that stole enterprise cloud credentials earlier than shifting to mass web site backdooring.
How WP-SHELLSTORM compromised WordPress web sites
WP-SHELLSTORM operated as a webshell entry brokerage, compromising web sites in bulk earlier than reselling entry.
Their server contained roughly 800 MB of knowledge, together with exploit instruments, webshells, goal lists, exercise logs, and command histories.
The uncovered recordsdata revealed how the group compromised susceptible web sites, offering new perception right into a large-scale WordPress webshell operation. Somewhat than utilizing zero-day vulnerabilities, the group automated assaults in opposition to identified flaws in outdated WordPress plugins, exposing weaknesses in WordPress web site safety.
Identified WordPress vulnerabilities fueled the assaults
Researchers discovered the toolkit supported exploitation of 27 identified vulnerabilities, though a small quantity accounted for many of the exercise. Probably the most profitable assault focused the Breeze WordPress caching plugin (CVE-2026-3844), which attackers launched in opposition to greater than 45,000 web sites.
In response to the group’s personal logs, greater than 17,000 webshells had been deployed, making it one of many largest documented WordPress webshell assaults noticed this yr.
Breeze and Joomla vulnerabilities had been key targets
Nevertheless, researchers famous that the vulnerability impacts solely Breeze installations during which the non-default “Host Recordsdata Domestically – Gravatars” choice is enabled, thereby limiting the variety of actually susceptible web sites.
The attackers additionally focused CVE-2026-48907, a Joomla JCE Editor vulnerability.
Massive goal lists didn’t equal large-scale compromise
The uncovered information referenced greater than 1.4 million web sites, however researchers cautioned that this quantity represented scanning targets somewhat than confirmed victims.
One file alone contained over 587,000 Joomla domains chosen for scanning.
After eradicating duplicates and validating profitable compromises, Ctrl-Alt-Intel recognized roughly 25,195 compromised web sites, whereas SOCRadar noticed greater than 5,700 energetic webshells throughout its evaluation.
Webshells supplied persistent entry
As soon as attackers efficiently exploited a susceptible web site through the WordPress webshell assault, they put in an obfuscated webshell referred to as down.php, which researchers imagine was derived from the open-source Chinese language webshell BestShell.
The backdoor enabled attackers to execute instructions remotely, browse recordsdata, steal credentials, set up reverse shells, and transfer laterally all through compromised environments.
For extra persistence, the operators deployed the SNOWLIGHT dropper to put in VShell, a distant entry instrument that disguises itself as a legit Linux kernel employee course of through the use of names equivalent to [kworker/0:2].
Though VShell has appeared in campaigns linked to suspected Chinese language state actors, researchers stated it is usually broadly utilized by Chinese language-speaking cybercriminals. Because of this, its presence alone doesn’t point out nation-state involvement.
Researchers uncovered an earlier credential theft marketing campaign
The uncovered server additionally revealed proof of an earlier marketing campaign carried out earlier than launching the large-scale WordPress webshell assault.
In response to SOCRadar, the group focused susceptible Nacos configuration servers utilizing CVE-2021-29441, permitting attackers to bypass authentication and steal configuration information from organizations.
Researchers additionally recovered cloud credentials for AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, together with database passwords and cryptographic keys.
SOCRadar believes the sequence suggests the group first harvested enterprise credentials earlier than shifting towards the upper quantity web site backdooring marketing campaign.
Should-read safety protection
Operational errors uncovered the attackers
Regardless of working a classy toolkit, the risk actors made a number of operational safety errors.
The group left an unauthenticated Python internet server publicly accessible for 22 days, exposing inside command histories, FOFA search configurations, exploit scripts, and infrastructure particulars. Researchers additionally noticed proof that the operators tried to delete parts of the logs after realizing the publicity, however the effort got here too late.
Primarily based on Simplified Chinese language discovered all through the recordsdata, using FOFA, and the malware employed, researchers assess with average to excessive confidence that the operators are Chinese language or Chinese language-speaking.
Nevertheless, SOCRadar believes the marketing campaign was financially motivated somewhat than linked to a government-sponsored operation.
How organizations can cut back threat
Organizations accountable for WordPress web site safety or Joomla environments ought to prioritize putting in the most recent safety updates.
To scale back the danger of comparable assaults:
- Patch WordPress, Joomla, and all plugins, prioritizing vulnerabilities identified to be underneath energetic exploitation primarily based on the analysis.
- Take away or disable unused plugins, themes, and extensions to scale back your total assault floor.
- Constantly monitor web sites for unauthorized file adjustments, suspicious webshells, and different indicators of a WordPress webshell assault.
- Hunt for indicators of compromise, together with suspicious recordsdata equivalent to .bd.php, .wp-log.php, and .brq-*.php, in addition to pretend [kworker] processes with executable paths or community connections.
- Rotate credentials and API keys if susceptible techniques, equivalent to uncovered Nacos servers, might have been compromised.
- Take a look at incident response plans and use simulations with situations round web site compromise.
Collectively, these measures can assist organizations cut back total publicity and construct resilience.
Editor’s be aware: This text initially appeared on our sister publication, eSecurityPlanet.
