WordPress was comprimised by the Nuetrino Exploit Kit.
This exploit kit installs backdoors on WordPress sites running older versions of the content management system (4.2 and older). It then redirects the victim through a series of iFrames to a landing page hosting a Flash exploit.
The exploit targets users running Internet Explorer and the victims computers are infected with CryptoWall 3.0 ransomeware.
Researchers of the Nuetrino Exploit Kit have said that the IP of the landing page is 185[.]44[.]105[.]17 which is registered to a “Max Vlapet” in Moscow.
Moreover, researchers say the goal of the exploit kit was to harvest credentials and inject an iFrame to redirect users to the landing page. They also said that people who are not using IE should not get the malciious iFrame and those using IE will not get attacked over and over again due to a cookie that the attackers injected.
The CryptoWall ransomware has recently been used in a lot of 0-day exploits leading some to believe that an APT group is behind this attack.
Like other ransomware, CryptoWall 3.0 encrypts files on a compromised computer and demands a ransom to decrypt them, usually over $400 in Bitcoin. This particular piece of ransomware uses numerous channels to communicate stolen traffic to its keepers, including I2P and Tor anonymity networks.
WordPress remains a soft spot for hackers and attackers and the Nuetrino Exploit Kit is still active. More often than not, attackers will find and exploit vulnerabilities in plugins (Such as Java and Flash), however there have been occasions where the WordPress Core Engine was attacked.
Also, if you haven’t noticed, this webpage is running on the WordPress Core engine, which is why I made this blog post and is why this is relevant.