Over 500 Compromised Wordpress and Joomla Websites Contain Malware

Researchers from the cyber security company, Zscaler, have observed a sharp increase of Shade ransomware, also known as Troldesh, on WordPress and Joomla sites over the last few weeks. Zscaler has also detected multiple backdoors, redirectors, and phishing pages. Attackers are using a hidden directory on HTTPS sites and are distributing the malware through spam emails that redirect to the compromised site containing the malicious zip file. Over 500 websites have been compromised, most of which appear to be using WordPress versions 4.8.9 to 5.1.1. Phishing sites are using SSL-validated hidden directories attempting to fool the victim into providing credentials. The sites also may have outdated Content Management Systems (CMSs) plugins/themes, which could lead to the compromise. These phishing sites hosted under SSL-validated hidden directories are related to the recent attempts to obtain credentials to Office 365, Dropbox, and SharePoint. The full list of Indicators of Compromise is available in the Zscaler blog postThe NJCCIC recommends users refrain from clicking on any links contained in suspicious emails. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. The NJCCIC encourages users who believe their account may have been compromised to notify their agency ISO, Email Admin, or Helpdesk to assist in remediating the issue.