Hackers actively targeting WordPress sites running unpatched Tatsu plugin
Hackers are reportedly actively targeting WordPress sites with unpatched versions of the page builder plugin without Tatsu code installed.
Detailed by Ram Gall at Closing words, the large-scale attack targets a remote code execution vulnerability in Tatsu that was publicly disclosed in March. Although an updated version of the plugin has since been released, as is often the case with software or, in this case, a WordPress plugin, not all users have installed the latest version, opening the door to pirates.
The exact number of sites running unpatched versions of Tatsu is unknown – the number could be as high as 50,000. What’s not hard to track is the number of attacks – Wordfence recorded a peak of 5.9 million attacks against 1.4 million sites on May 14.
The volume of attacks has since decreased, but the attacks are still ongoing. Most attacks are described as probing attacks to determine the presence of the vulnerable plugin.
If a WordPress installation is running an unpatched copy of Tatsu, the most commonly deployed payload is a removal which is then used to place additional malware in a randomly named subfolder.
The obvious solution to the problem is for Tatsu users to update the plugin to the latest version, currently 3.3.13. It is warned that an earlier update – 3.3.12, contained only a partial fix which did not completely fix all the issues.
“When it comes to cybersecurity, most organizations pay little attention to their websites,” Chris Olson, chief executive of the digital security provider Media confidence, told SiliconANGLE. “The Tatsu vulnerability shows us why this is a mistake: websites – which play a key role in marketing and revenue generation – are increasingly targeted by hackers, making them a source risks for customers and occasional visitors.
Olson noted that as a precaution, anyone managing an organization’s website should perform regular scheduled maintenance that includes updates for plugins and security patches. party code, because those are the main risk factors,” Olson added.