Reports are surfacing that indicate a large scale iframe injection operation targeting websites is exploiting vulnerabilities in several popular plugins, including TimThumb, PHPMyAdmin and Uploadify.
The majority of the sites being targeted are running Plesk Panel version 10.4.4 or older versions, and researchers from Sucuri have indicated that as many as fifty-thousand websites may have been compromised by an unidentified botnet operation.
Brian Krebs reports that the attacks may be linked to a recently discovered zero-day exploit for Plesk that is being sold on the black market for around $8,000 per purchase.
According to Krebs, the exploit is designed to harvest the administrator password needed to access the Plesk control panel, used by website admins to remotely control the servers their respective websites are located on, usually through a third-party hosting service.
The connection to the Plesk exploit is as of yet circumstantial, but analysis by Sucuri’s Daniel Cid seems to point to the vulnerability as being a key factor in the swift compromise of the affected websites.
"What is interesting is that most of our clients always used to be using CMSs (like WordPress, Joomla, etc), but lately we are seeing such a large number of just plain HTML sites getting compromised and when we look deeper, they are always using Plesk," Cid told Krebs.
Last month, malware researcher Denis Sinegubko had provided analysis of the BlackHole Exploit Kit's successful compromise of several sampled websites, and had determined that a vulnerability in Plesk was probably the culprit.
The bug was subsequently patched, but the new wave of website hacks are an indication that another serious flaw in the application may be as of yet unmitigated.
The BlackHole Exploit Kit is one of the most popular exploit packs in the underground market, and Symantec's analysis of the latest incarnation revealed it was adapted to take advantage of an unpatched vulnerability in Microsoft XML Core Services (CVE-2012-1889) to facilitate drive-by attacks on Internet users.
BlackHole injects malicious code into compromised websites, allowing attackers to utilize a variety of exploits that target vulnerabilities in widely used applications like Java and Flash, and infects victims with a drive-by attack when they visit the compromised website.