US-CERT said it is urging website administrators to update sites that utilize the WordPress content management system following a surge in website servers redirecting visitors to a ransomware-delivering exploit kit known as Nuclear.

The malware uploads multiple backdoors into different locations on an infected web server and frequently updates the injected code. It also delivers TeslaCrypt ransomware, which encrypts user files and demands a large payment for the decryption key required to restore them.

Recent versions of ransomware leverage compromised WordPress sites to serve as a drop point for information related to the compromised host. In March 2015, a so-called ISIS hack on numerous North American websites, including one belonging to a Montana credit union, exploited a known vulnerability in a WordPress plug-in.

Recent attacks concealed the code by redirecting end-users through a series of sites before dropping the ransomware payload.

According to US-CERT, a part of the Department of Homeland Security's National Cybersecurity and Communications Integration Center, WordPress 4.4.1 and prior versions contain two security vulnerabilities. Exploitation of one of these vulnerabilities could allow a remote attacker to obtain sensitive information.

Users and administrators are encouraged to review the WordPress Security and Maintenance Release and upgrade to WordPress 4.4.2.

WordPress released version 4.4.2 to address flaws that left instances vulnerable to an "open redirection attack" bug and a "possible server-side request forgery."

"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."

The security firm Sucuri noted that the malware had distinguishing features, including 32 hex-digit strings at the beginning and end of the code.

If website visitors have out-of-date, unpatched versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight or Internet Explorer, they put themselves at risk for infection by the TeslaCrypt ransomware.

"KnowBe4 used to run on WordPress, but we have moved away because of these types of security issues," Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based KnowBe4, said.

He recommended those running WordPress take these immediate steps:

  1. Patch server operating systems.
  2. Patch WordPress.
  3. Get rid of as many WP plug-ins as possible and patch the current ones.
  4. Update all your WP instances at the same time to prevent cross-infections.
  5. Lock down all WP instances with a very strong password and the WP 2-factor authentication.

 

He also recommended end-users take these steps:

  1. Keep work station operating systems and third party apps updated at all times.
  2. Back up data and keep up with daily off-site backups. Regularly test if your restore function actually works.
  3. Provide end-users with the 64-bit version of Google Chrome if possible.
  4. Run the latest V5.5 of Microsoft's Enhanced Mitigation Experience Toolkit on workstations.
  5. Give all users through effective security awareness training.
NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).