AI Security AI安全 10h ago Updated 9h ago 更新于 9小时前 46

Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites 暴露的黑客服务器揭示WP-SHELLSTORM后门植入数千个WordPress网站

An exposed server revealed the inner workings of WP-SHELLSTORM, a cybercrime group operating a webshell access brokerage targeting over 1.4 million websites. The primary attack vector involved exploiting vulnerabilities in outdated plugins, specifically CVE-2026-3844 in the WordPress Breeze caching plugin and flaws in Joomla’s JCE editor. Actual compromise rates were significantly lower than target lists suggested, with approximately 5,700 to 25,000 sites confirmed as backdoored depending on the WP-SHELLSTORM团伙因疏忽将包含140万目标列表及攻击工具的服务器暴露在互联网上长达三周,导致其内部运作细节泄露。 该团伙主要利用WordPress插件(如Breeze缓存插件)和Joomla编辑器的已知漏洞进行大规模自动化扫描和后门植入。 实际被攻破的网站数量远低于目标列表数量,经去重验证的受感染站点约为2.5万至5.7万个不等。 攻击者使用高度混淆的Webshell(如down.php)和伪装成内核进程的VShell后门,具备文件管理、命令执行及网络扫描能力。 分析显示该团伙可能为中文背景的经济动机黑客组织,其行动模式呈现“先窃取高价值企业凭证融资,后转向大规模Webshell买

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • An exposed server revealed the inner workings of WP-SHELLSTORM, a cybercrime group operating a webshell access brokerage targeting over 1.4 million websites.
  • The primary attack vector involved exploiting vulnerabilities in outdated plugins, specifically CVE-2026-3844 in the WordPress Breeze caching plugin and flaws in Joomla’s JCE editor.
  • Actual compromise rates were significantly lower than target lists suggested, with approximately 5,700 to 25,000 sites confirmed as backdoored depending on the measurement methodology.
  • The group utilized heavily obfuscated webshells like down.php and stealthy backdoors such as VShell disguised as kernel threads, indicating sophisticated tradecraft despite operational carelessness.
  • Evidence suggests the operators are Chinese-speaking and financially motivated, having previously conducted targeted credential theft against corporate Java systems before scaling up to mass WordPress exploitation.

Why It Matters

This incident highlights the critical risk of "open directory" misconfigurations in cybercrime infrastructure, where operational sloppiness can expose entire attack chains, toolkits, and target lists to researchers and defenders. It underscores the importance of maintaining updated plugins and monitoring for known vulnerability exploits, particularly in widely used CMS platforms like WordPress and Joomla. Furthermore, it provides valuable threat intelligence regarding the tactics, techniques, and procedures (TTPs) of financially motivated groups leveraging state-level tools for criminal profit.

Technical Details

  • Infrastructure Exposure: The attackers left a Python web server running on port 80 without authentication for 22 days, exposing 800MB of data including webshells, exploit scripts, command history, and C2 configurations.
  • Primary Exploit: CVE-2026-3844 in the Breeze caching plugin for WordPress was the most effective vector, allowing remote code execution when the "Host Files Locally – Gravatars" setting was enabled; it accounted for over 17,000 compromises out of 45,000 attempts.
  • Malware Tooling: The main backdoor, down.php, was a four-layer obfuscated script derived from the open-source BestShell. Remote access was facilitated by SNOWLIGHT droppers installing VShell, which masked its process name as [kworker/0:2] to evade detection.
  • Target Acquisition: Target lists were aggregated from FOFA, a Chinese internet search engine, containing over 1.4 million domains across WordPress, Joomla, and other platforms.
  • Secondary Campaign: Prior to the WordPress spree, the group exploited CVE-2021-29441 in Nacos configuration servers to steal cloud credentials (AWS, Alibaba, etc.) and database passwords from corporate systems.

Industry Insight

  • Threat Intelligence Sharing: The exposure demonstrates how defensive analysis of attacker infrastructure can yield significant insights into emerging TTPs and vulnerability exploitation trends, encouraging proactive sharing of such data within the security community.
  • Plugin Security Hygiene: Organizations must prioritize immediate patching of known vulnerabilities in third-party plugins, especially those with specific configuration dependencies that may inadvertently enable exploitation.
  • Operational Security Risks: The incident serves as a case study in operational security failures; even sophisticated criminal groups are vulnerable to exposure due to basic misconfigurations, providing defenders with opportunities to disrupt their operations through monitoring and takedown efforts.

TL;DR

  • WP-SHELLSTORM团伙因疏忽将包含140万目标列表及攻击工具的服务器暴露在互联网上长达三周,导致其内部运作细节泄露。
  • 该团伙主要利用WordPress插件(如Breeze缓存插件)和Joomla编辑器的已知漏洞进行大规模自动化扫描和后门植入。
  • 实际被攻破的网站数量远低于目标列表数量,经去重验证的受感染站点约为2.5万至5.7万个不等。
  • 攻击者使用高度混淆的Webshell(如down.php)和伪装成内核进程的VShell后门,具备文件管理、命令执行及网络扫描能力。
  • 分析显示该团伙可能为中文背景的经济动机黑客组织,其行动模式呈现“先窃取高价值企业凭证融资,后转向大规模Webshell买卖”的特征。

为什么值得看

这篇文章揭示了大规模自动化网络攻击背后的具体战术和技术栈,特别是针对WordPress生态系统的供应链式攻击手法,为安全从业者提供了具体的防御视角。同时,它强调了基础运维安全的重要性,即使是高级黑客也会因配置错误(如未授权访问)而暴露核心资产,提醒企业加强服务器权限管理和日志审计。

技术解析

  • 攻击基础设施与泄露:攻击者在IP 137.175.93[.]126上运行Python Web服务器传输文件,因未设置密码且持续运行22天而被SOCRadar和Ctrl-Alt-Intel发现,泄露了约800MB的工具、日志和目标列表。
  • 主要漏洞利用:核心利用链包括WordPress Breeze缓存插件的CVE-2026-3844漏洞(需特定配置开启),以及Joomla JCE编辑器的漏洞。攻击者使用FOFA搜索引擎获取目标列表,并通过自动化工具批量发送exploit脚本。
  • 恶意软件特征:主后门down.php经过四层混淆,源自开源BestShell;远程访问工具SNOWLIGHT dropper安装VShell,将其进程名伪装为[kworker/0:2]以逃避检测,支持反向Shell和网络扫描。
  • 前期侦察与数据窃取:在大规模WordPress攻击前,该团伙曾利用Nacos配置服务器CVE-2021-29441漏洞,从9家企业的11个系统中窃取配置文件,包括AWS、阿里云等云密钥及数据库密码,疑似为后续攻击提供资金支持。

行业启示

  • 重视基础安全配置:即使是复杂的攻击团伙也可能因简单的运维失误(如弱口令、开放目录)而暴露,企业应定期审查服务器访问控制策略和敏感数据泄露风险。
  • 关注CMS生态安全:WordPress和Joomla等广泛使用的平台是攻击重灾区,特别是第三方插件的安全更新至关重要,管理员应及时修补已知漏洞并限制非必要功能的启用。
  • 威胁情报关联分析:通过关联不同阶段的攻击行为(如从企业凭证窃取到Webshell批量植入),可以识别出同一攻击组织的资金驱动型犯罪模式,有助于制定更精准的防御和溯源策略。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全