Monday, March 17, 2025
Homecyber securityArbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

Published on

SIEM as a Service

Follow Us on Google News

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm, has intensified its cyber operations through a campaign dubbed BadPilot.

This multi-year initiative has targeted critical infrastructure worldwide, expanding the group’s reach beyond its traditional focus on Ukraine and Eastern Europe to include North America, Europe, and Asia-Pacific regions.

Exploiting Vulnerabilities for Persistent Access

Active since at least 2021, the BadPilot campaign specializes in exploiting vulnerabilities in internet-facing infrastructure to gain initial access and establish long-term persistence in high-value networks.

The subgroup has been observed targeting sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government organizations.

Microsoft researchers have identified the exploitation of at least eight known vulnerabilities, including flaws in widely used IT management tools like ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788).

These exploits enable the attackers to infiltrate systems, collect credentials, execute commands, and facilitate lateral movement within networks.

According to Wordfence, the campaign employs a combination of opportunistic “spray-and-pray” attacks and targeted intrusions.

Once inside a network, attackers utilize advanced techniques such as modifying DNS configurations and injecting malicious JavaScript into login portals to harvest credentials.

They also deploy remote management tools like Atera Agent to maintain stealthy persistence while blending into legitimate network traffic.

Strategic Expansion of Operations

The BadPilot subgroup’s activities align with Russia’s geopolitical objectives, particularly in supporting military operations and intelligence gathering.

Initially concentrated on Ukraine during the early stages of Russia’s invasion in 2022, the campaign has since broadened its scope to include critical infrastructure in countries such as the United States, United Kingdom, Canada, and Australia.

This geographical expansion reflects Russia’s strategic interest in disrupting adversarial nations while maintaining options for future cyber-enabled operations.

Microsoft reports that this subgroup has enabled at least three destructive cyberattacks in Ukraine since 2023.

These attacks demonstrate the group’s capability to transition from espionage to disruptive operations when aligned with Kremlin priorities.

The subgroup’s persistent access to compromised networks provides Seashell Blizzard with a scalable platform for both immediate cyberattacks and long-term intelligence gathering.

The BadPilot campaign underscores the evolving threat posed by state-sponsored hacking groups.

By leveraging known vulnerabilities and advanced persistence techniques, Seashell Blizzard continues to challenge global cybersecurity defenses.

The campaign’s focus on critical infrastructure highlights the urgent need for organizations to patch vulnerabilities promptly and adopt robust monitoring solutions.

Experts warn that this subgroup is likely to continue innovating horizontally scalable techniques to compromise networks worldwide.

As the geopolitical landscape evolves, these cyber operations are expected to remain a cornerstone of Russia’s strategic objectives.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant...

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which...

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion...

MassJacker Clipper Malware Targets Users Installing Pirated Software

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant...

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which...

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion...