Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin
May 9, 2024, 3:24 p.m.
Description
A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulnerability in LiteSpeed Cache before version 5.7.0.1, allowing attackers to inject malicious scripts. The malware is often associated with URLs like 'https://dns.startservicefounds.com/service/f.php' and IPs like 45.150.67.235 or 94.102.51.144. Website owners should review installed plugins, update them, and search for suspicious code or users.
Date
| Published | Created | Modified |
|---|---|---|
| May 9, 2024, 3:08 p.m. | May 9, 2024, 3:08 p.m. | May 9, 2024, 3:24 p.m. |
Indicators
https://dns.startservicefounds.com/service/f.php
https://cache.cloudswiftcdn.com
https://api.startservicefounds.com
Attack Patterns
T1038
T1092
T1528
T1213
T1189
T1505
T1486
T1518
T1057
T1083
T1543
T1098
T1027
T1053
T1562
T1190
T1059