Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

May 9, 2024, 3:24 p.m.

Description

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulnerability in LiteSpeed Cache before version 5.7.0.1, allowing attackers to inject malicious scripts. The malware is often associated with URLs like 'https://dns.startservicefounds.com/service/f.php' and IPs like 45.150.67.235 or 94.102.51.144. Website owners should review installed plugins, update them, and search for suspicious code or users.

External References

https://wpscan.com/blog/surge-of-javascript-malware-in-sites-with-vulnerable-versions-of-litespeed-cache-plugin/
https://otx.alienvault.com/pulse/663ce6fb65626ccc9e6e833f
Tags
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09

Date

  • Created: May 9, 2024, 3:08 p.m.
  • Published: May 9, 2024, 3:08 p.m.
  • Modified: May 9, 2024, 3:24 p.m.

Indicators

  • 45.150.67.235
  • 31.43.191.220
  • 94.102.51.144
  • https://dns.startservicefounds.com/service/f.php
  • https://cache.cloudswiftcdn.com
  • https://api.startservicefounds.com
Download all indicators here!

Attack Patterns

  • T1038
  • T1092
  • T1528
  • T1213
  • T1189
  • T1505
  • T1486
  • T1518
  • T1057
  • T1083
  • T1543
  • T1098
  • T1027
  • T1053
  • T1562
  • T1190
  • T1059