Heading into the Easter weekend, our incident response team received a call from a large global organisation whose users had reported that their corporate emails were failing to be delivered. Our client's customers who were expecting the mails had investigated the failures and reported that their email security tool, Proofpoint in this case, had flagged the incoming emails as containing malicious links.
Concerned about brand damage and revenue loss, the client requested Talanos Cybersecurity's immediate intervention. Quickly we'd established from reviewing outbound mails that it was the client's own website that was being flagged as malicious. The client's homepage had been hyperlinked in the company email signature, attached to every outgoing email. When the mails were processed by the recipient's email security software, the URL in the signature was being scanned and diagnosed as being a compromised website, which in turn flagged the client's domain as being a malicious email sender.
It turned out that the client's website had been compromised as part of the broader LandUpdate 808 campaign but the site was simply a brochureware asset for the company. The greatest impact was felt when the global email security platforms had flagged the client's domain reputation causing every outbound mail to be quarantined, even once the website had been cleaned and the email signatures removed. Although the damaged email reputation was an unintended consequence of the website compromise and is an interesting story on its own, this threat advisory will focus on the website compromise itself.
Business Impact for the Client
- The client had been working a number of sales opportunities which had included email questions and responses to formal RFPs. Ultimately, the client lost deals to the tune of hundreds of thousands of pounds because the prospects claimed that emails never arrived and they simply thought the client had lost interest.
- The website ultimately had to be rebuilt and new controls rolled out to secure it. The business were unable to push critical marketing updates and collateral to the site for three weeks.
- The client's small IT team were engaged in the incident over the Easter weekend losing time with their families. The human cost aside, many tens of thousands of pounds were spent to rebuild and secure the "low priority" website.
- Even with the vendors on the phone, it is extremely difficult to have flags on email reputation removed when the email platforms span the globe. The digital first business were unable to communicate externally for at least a week and in some platform cases, two weeks.
How Talanos Contained the Crisis
After quickly identifying the cause of the email quarantines and the website compromise, Talanos isolated the website, performed forensics, removed the infection and vulnerable components, and reverted the website to a clean backup - that had been thoroughly tested and reviewed. This entire process was completed in roughly 4 hours from the first incident call.
We also coordinated email domain reputation delisting requests with Proofpoint and Mimecast, who subsequently lifted the quarantines once the website was cleaned.
Finally, we provided the client with an incident report that detailed the compromise timeline, actions taken and closing recommendations to implement a number of controls to better secure the website against future attack. The client subsequently employed Talanos to implement the recommendations on their behalf so that the rebuilt site could be returned to the business as quickly as possible.
Strategic Takeaway
Your company website might be hosted and even managed by a third-party and perhaps its even considered low criticality brochureware but it shares a very important asset with the rest of the organisation - your reputation and your corporate domain. It would have been impossible to model this particular threat and yet, compromise of this asset lead to lost revenue and unexpected cost. Luckily in this instance, the reputational damage was minimised through speedy and decisive incident response.
Deeper Technical Analysis
What follows is technical deep dive on the website compromise itself, which might help others diagnose the same issues in their own environments. If you're not all that interested in reading further, it was an unpatched vulnerability in a deeply buried supply chain dependency... Lessons learnt and control recommendations are included at the end of the article.
Motivation: LandUpdate808
The investigation essentially kicked off when Proofpoint’s sandbox detonated the client's homepage URL and traced a redirect chain to the LandUpdate 808 fake Chrome update infrastructure. That finding placed the externally hosted and managed WordPress site squarely in the spotlight. Intermittent attempts to connect to the website resulted in redirects to a page that tried to trick the user into downloaded an updated version of Chrome.
A line of HTML was being dynamically inserted the client's Wordpress pages which was causing the redirect.
Searching through the Wordpress site, hosted with WP Engine, the team could not discover the source of the dynamically added code until we connected via SFTP to the underlying site file system and began reviewing the code and plugins. Plugins in Wordpress are held in the wp-content\plugins directory and there was a plugin listed in the directory that was not visible on either the Wordpress or the WP Engine management interfaces called:
WP Rock or WP-antymalwary-bot
The misspelling of the "antymalwary" plugin name is a dead giveaway and the alternative name is an attempt at confusing the user with "WP Rocket" which is a legitimate Wordpress plugin. The malicious plugin is not obfuscated and is conveniently commented throughout (albeit in Russian) describing the various functions and features of WP Rock:
- The ability to hide the plugin from the Wordpress admin console and interface
- Backdoor admin access
- Beaconing to a C2
- Executing encrypted C2 commands
- Dynamically adding output to rendered php pages (our culprit)
But how did the plugin get there? A review of the logs shows that a client staff member logged in (out of normal hours), entered their 2FA!, created, connected and then deleted an SFTP session in which they uploaded the plugin. They had been in and out in 4 minutes flat.
Hunting & Detection Tips
| Vector | Indicator | Detection Logic |
| Network | Outbound HTTP POST to 45.61.136.85:5555/api/plugin-ping | Egress firewall rule or SIEM alert on destination IP/port 5555 |
| Network | HTTPS GET to cwcstudios.com/ads.php followed by injection of decoded URL | Web VPC flow logs + response body inspection |
| HTTP Parameters | Requests carrying emergency_login=nhf8uihu3uif8y77uh, urlchange, or linkupdate | WAF rule: block or alert on these query parameters |
| Filesystem | Creation or edit of wp-rock.php; modification timestamps that update without admin interaction | Tripwire / WP integrity monitor |
| REST API | POST /wp-json/custom/v1/admin-command from unauthenticated source | Log and block POSTs to the custom namespace when no auth header present |
Wordpress 2-Factor Authentication is a Mess
There isn't out-of-the-box 2FA support in Wordpress and you need to fork out some hard-earned cash for a "premium" third-party plugin and the best known, most reputable is from Miniorange. The client had diligently purchased, installed and regularly patched the Miniorange 2-Factor Authentication plugin and were using it across their admin and marketing users to login to Wordpress. They were on the latest premium version 17.0 and during a static analysis of the plugin (along with the rest of the site during forensics), it was discovered that the 2FA plugin also had two other "premium" Miniorange plugin products embedded within:
- Malware Scanner 4.8.0
- Web Application Firewall 2.1.1
We talked to Miniorange support to understand why these components were there in a 2FA plugin and how they managed vulnerabilities and they responded that:
We follow a proactive approach to security with continuous code reviews and automated scanning tools to detect potential vulnerabilities.
All reported or internally discovered vulnerabilities are triaged based on severity, impact, and exploitability.
High-severity vulnerabilities are prioritized and patched as quickly as possible, often within 24–72 hours depending on the complexity.
In the latest version (18.0) of the plugin, we have revamped the whole plugin which includes the major architecure changes as well as the UI/UX changes. The previous version contained some unnecessary code e.g. Malwar[e] scanner, WAF etc., So have removed all such code and kept only optimized code.
We fully understand the importance of transparency and consistency, especially when it comes to version tracking and plugin integrity. We take your concerns seriously and are working to ensure our premium distributions follow expected standards more closely going forward.
Interestingly, the Malware Scanner component included in version 17 of the plugin had a critical CVE patched that remained unpatched in the WAF component. The Web Application Firewall 2.1.1 component falls within the vulnerable range described by CVE-2024-2172 (CVSS 9.8)—an unauthenticated privilege escalation flaw that lets any visitor invoke mo_wpns_init() and obtain administrator rights. The affected code remained dormant but reachable inside the bundled plugin files.
Exploiting CVE-2024-2172
The vulnerable function mo_wpns_init() is reachable without authentication. Because it performs no capability check, any unauthenticated visitor could invoke the endpoint and instantly acquire administrator privileges—an attack path documented in the CVE advisory.
While the live exploit sequence was not captured in server logs (Wordpress and WP Engine hadn't been configured to keep logs that go back far enough to the initial compromise), code inspection confirms that the vulnerable call path exists inside Web Application Firewall 2.1.1 and this likely explains how the attacker gained elevated access.
The premium versions of the Miniorange plugin are obfuscated with mixed hex and octal combinations and unless the client decoded the plugin and manually analysed the complete contents of the plugin - checking the dependencies for vulnerabilities as they went, there is no way they would have been able to detect and patch this vulnerability but you would have thought that the vendor would have done this for them.
Control Recommendations
We completed a Wordpress redesign for the client to secure their website against future attacks and some of those control recommendations are here for your consideration, however if you want to discuss a security assessment and the improvement of your own website, please do get in touch.
| Control Area | Observed Gap | Corrective Action |
| Asset Visibility | Website logs were never forwarded to the SIEM and were rotated too often on the server which meant historical logs were lost. | Ship your website logs offsite to extend log retention period. You will need another premium plugin to do this and we recommended WP Activity Log |
| Resilience | Website backups were not automatic and were stored on the compromised server | Automate your backups because the easiest way to recover a Wordpress site is through restoring its backup but don't rely on backups that could have been tampered with and ship them offsite. We recommended Updraft Plus |
| Administration | If you lose your credentials, then SFTP is pretty easy to compromise and it was regularly used by admins as a backup break-glass access | Disable SFTP altogether and rather use key-based SSH where the key can be stored in the corporate PAM system as a break-glass mechanism |
| Email Reputation | One poisoned URL triggered block lists across multiple gateways | Route email signature links through an isolated vanity subdomain or remove hyperlinks entirely |
| Plugin Provenance | Unreviewed plugins introduced vulnerabilities and once exploited, created backdoors for compromise | Use as few plugins as possible, pay for the premium versions that include support and security patches, verify hashes before installation and promotion. Understand plugin dependencies and if possible, perform a third-party code review. |
| Security Testing | Client's customers were the first to identify an issue and only through reactive investigation, was the website compromise discovered | Regularly test your website externally, from the perspective of end-users to detect early signs of compromise |
| Authentication | Client used a separate basic authentication system from their corporate SSO, which used a different (compromised) MFA system and password policy. | Integrate all your systems (including your website management) with your corporate SSO to benefit from conditional access policies, MFA, etc. Create accounts for your external third-party marketing firm on your SSO to access your site using individual (non-shared) accounts. |
