Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

May 9, 2024, 3:24 p.m.

Description

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulnerability in LiteSpeed Cache before version 5.7.0.1, allowing attackers to inject malicious scripts. The malware is often associated with URLs like 'https://dns.startservicefounds.com/service/f.php' and IPs like 45.150.67.235 or 94.102.51.144. Website owners should review installed plugins, update them, and search for suspicious code or users.

Date

Published: May 9, 2024, 3:08 p.m.

Created: May 9, 2024, 3:08 p.m.

Modified: May 9, 2024, 3:24 p.m.

Indicators

45.150.67.235

31.43.191.220

94.102.51.144

https://dns.startservicefounds.com/service/f.php

https://cache.cloudswiftcdn.com

https://api.startservicefounds.com

Attack Patterns

T1038

T1092

T1528

T1213

T1189

T1505

T1486

T1518

T1057

T1083

T1543

T1098

T1027

T1053

T1562

T1190

T1059