A security flaw in the WordPress blogging software has let hackers attack and deface tens of thousands of sites.
One estimate suggests more than 1.5 million pages on blogs have been defaced.
The security firm that found the vulnerability said some hackers were now trying to use it to take over sites rather than just spoil pages.
WordPress urged site owners to update software to avoid falling victim.
The vulnerability is found in an add-on for the WordPress blogging software that was introduced in versions released at the end of 2016.
Security firm Sucuri found the “severe” bug and informed WordPress about it on 20 January.
In a blogpost, WordPress said it delayed going public about the flaw so it could prompt hosting firms to update their software to a fixed version.
The patched version of WordPress was formally released on 26 January and led to many sites and blogs automatically applying the update.
However, many blogs have not followed suit leaving them open to defacement attacks.
Security firm WordFence said it had seen evidence that 20 hacker groups were trying to meddle with vulnerable sites. About 40,000 blogs are believed to have been hit.
The vulnerability had set off a “feeding frenzy” among hacker groups, WordFence founder Mark Maunder told the Bleeping Computer tech news site.
“During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor,” he added.
Sucuri said some hacker groups had moved on from defacement to attempts to use the bug to hijack sites for their own ends.
“Attackers are starting to think of ways to monetise this vulnerability,” wrote Sucuri founder Daniel Cid. “Defacements don’t offer economic returns, so that will likely die soon.”
Hackers were keen to use the vulnerable sites as proxies for spam or malware campaigns, he said.
WannaCry analysis suggests Chinese-speaking criminals may have been behind the WannaCry ransomware that affected thousands of organisations worldwide.
Researchers from Flashpoint looked at the language used in the ransom notice.
They said the use of proper grammar and punctuation in only the Chinese versions indicated the writer was “native or at least fluent” in Chinese.
The translated versions of the ransom notice appeared to be mostly “machine translated”.
The WannaCry ransom note could be displayed in 28 different languages, but only the Chinese and English versions appeared to have been written by humans.
The English text also used some unusual phrases such as: “But you have not so enough time”.
The WannaCry cyber-attack infected more than 200,000 computers in 150 countries, affecting government, healthcare and private company systems.
The UK’s National Crime Agency, the FBI and Europol are investigating who was responsible for the ransomware.
Some earlier analysis of the software had suggested criminals in North Korea may have been behind it.
But the Flashpoint researchers noted the Korean-language ransom note was a poorly translated version of the English text.
“It was only really the Chinese and the English versions that appeared to be written by someone that understood the language,” said cyber-security expert Prof Alan Woodward from the University of Surrey.
“The rest appeared to come from Google Translate. Even the Korean.”
Image copyright AFP
Prof Woodward noted that the people behind the ransomware had not attempted to retrieve the money victims had paid in Bitcoin, and added it was likely they were keeping a low profile.
“I actually think they’ve run for the hills,” he told the BBC.
“Their so-called command and control system, the thing that controls quite a lot of the software, has all been turned off.
“They know that so many people are watching them now and that following the money could lead to their downfall. I suspect if they’ve got any sense at all they’ll leave it well alone.”
Credit : BBC News