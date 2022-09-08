The BackupBuddy vulnerability impacts versions 8.5.8.0 through 8.7.4.1 and is under attack since August 27th.

The patch was released on September 2 and iThemes warned users about the ongoing attack campaign exploiting the vulnerability.

Wordfence also confirmed the attack and stated that their firewall blocked approximately 5 million attacks in a short period of time.

iThemes announced that they have discovered a security vulnerability in the BackupBuddy plugin, that can allow attackers to breach the websites. According to the announcement, the vulnerability, tracked as CVE-2022-31474, impacts versions 8.5.8.0 through 8.7.4.1. The company also confirmed that the vulnerability is being actively exploited in the wild. The exploitation of the vulnerability appears to have started on August 27th, 2022.

Zero-day vulnerability under attack

The patch was released on September 2 and the issue is resolved in version 8.7.5. The update is available to all vulnerable versions, regardless of the BackupBuddy licensing status. iThemes also pushed auto-updates for all iThemes Sync users who have BackupBuddy installed.

The company stated that attackers can exploit the vulnerability to view the contents of any file on the server, which can be read by the WordPress installation. In some cases, it can include wp-config.php or even /etc/psswd. If you have determined that your site may have been compromised, you can perform the following steps:

Reset your database password. You may have to reach out to your hosting provider to help you with this. Change your WordPress salts. iThemes Security can do this for you automatically via Tools > Change WordPress Salts. You can update them manually. Rotate other secrets in wp-config.php . You may have stored API keys for services like Amazon S3 in your wp-config.php file. If so, these should be reset and updated.

Wordfence also confirmed that the vulnerability is under attack and stated that the company’s firewall has blocked more than 4.9 million attempts since August 26. The top 10 Attacking IP Addresses are as follows:

195.178.120.89 with 1,960,065 attacks blocked

51.142.90.255 with 482,604 attacks blocked

51.142.185.212 with 366770 attacks blocked

52.229.102.181 with 344604 attacks blocked

20.10.168.93 with 341,309 attacks blocked

20.91.192.253 with 320,187 attacks blocked

23.100.57.101 with 303,844 attacks blocked

20.38.8.68 with 302,136 attacks blocked

20.229.10.195 with 277,545 attacks blocked

20.108.248.76 with 211,924 attacks blocked

A majority of the attacks are attempting to read the following files:

/etc/passwd

/wp-config.php

.my.cnf

.accesshash