Rogue Pharmacy Defacements via REST API Exploit

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

This month we’ve seen WordPress websites bombarded with defacements and remote code execution attempts by abusing a vulnerability in the WordPress REST API. As could be expected, compromises motivated by financial gain have now made their debut through the same vector. This most recent flavor of defacements focuses on driving traffic to a rogue pharmacy website, where the visitor is encouraged to purchase — you guessed it, “authentic” erectile dysfunction medication.

Rogue Pharmacies are uncertified or entirely fraudulent entities that seek to illegally sell controlled substances and medications, or simply steal credit card information from would-be purchasers.

Trend characteristics:

• This attack vector impacts WordPress sites running versions 4.7 and 4.7.1 with the REST API enabled.
• The attackers are sending the defacement payload over the REST API to modify and deface existing posts.
• Post permalinks are being modified in the cases we’ve documented.

SiteLock first spotted the rogue pharmacy defacement on a customer’s website that was running WordPress 4.7. In this particular case, the defacement was engaged in a game of tug-of-war with the other defacements we’ve seen, in that each hacker was overwriting the previous defacement in an ongoing struggle for exposure. As is the case with most of the pharmacy-based malware activity we see, the text appears to be written by someone who doesn’t speak English natively. Interestingly, the rogue pharmacy domain was registered only two weeks ago — five days after the vulnerability’s disclosure.

Screenshot from an impacted website. (redacted)

Once again, this attack targets existing posts in WordPress, which means that a successful attack is overwriting data inside the WordPress database and data may only be recoverable via backup. If you have been impacted by this attack, your best course of action is to follow these steps:

1. Perform a file and database backup of the impacted website and save it to a secure location. This will ensure your data is safe if any critical failures occur in the following steps.
2. Update WordPress to the latest version, currently version 4.7.2.
3. Login to /wp-admin/ and verify which posts have been impacted by the defacement by looking in the title and body of the post for content that you did not put there. From the “edit post” menu, for each impacted post, check the revision history of the post to see if the original content is intact in a previous revision. If a previous revision is available, restore the post to that revision. Be sure to also check if the permalink for the post has been modified.

In many cases, following the above steps will remove the defacement and no further action is required. If you were not able to recover all of your post content, please continue with the following steps.

4. Locate your most recent database backup from before the attack and restore it to the production database.
5. Login to /wp-admin/ to check if any database clean-up is required to synchronize to the current WordPress version on the production site.
6. If WordPress indicates database changes are needed, allow it to run through the changes.

7. Audit your website for any incompatibility with the new WordPress version you’ve installed. Issues with updating are most commonly evident in the look and feel of the website.

We advise reaching out to your hosting provider as they may have a backup of your website stored on file. Additionally, if you have any questions or concerns about this email, please contact us at 877.563.2832 or email [email protected].

Please check this article regularly for updates as more information becomes available.