IN THROUGH THE OUTDOOR — Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack Malicious updates available from WordPress.org create attacker-controlled admin account.
Dan Goodin – Jun 24, 2024 9:00 pm UTC EnlargeGetty Images reader comments 25
WordPress plugins running on as many as 36,000 websites have been backdoored in a supply-chain attack with unknown origins, security researchers said on Monday.
So far, five plugins are known to be affected in the campaign, which was active as recently as Monday morning, researchers from security firm Wordfence reported. Over the past week, unknown threat actors have added malicious functions to updates available for the plugins on WordPress.org, the official site for the open source WordPress CMS software. When installed, the updates automatically create an attacker-controlled administrative account that provides full control over the compromised site. The updates also add content designed to goose search results. Poisoning the well
The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow, the researchers wrote. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago.
The five plugins are: Social Warfare (https://wordpress.org/plugins/social-warfare/) – 30,000 installs BLAZE Retail Widget (https://wordpress.org/plugins/blaze-widget/) – 10 installs Wrapper Link Elementor (https://wordpress.org/plugins/wrapper-link-elementor/) – 1,000 installs Contact Form 7 Multi-Step Addon (https://wordpress.org/plugins/contact-form-7-multi-step-addon/) – 700 installs Simply Show Hooks (https://wordpress.org/plugins/simply-show-hooks/) – 4,000 installs
Further ReadingWhat we know about the xz Utils backdoor that almost infected the worldOver the past decade, supply chain attacks have evolved into one of the most effective vectors for installing malware. By poisoning software at the very source, threat actors can infect large numbers of devices when users do nothing more than run a trusted update or installation file. Earlier this year, disaster was narrowly averted after a backdoor planted in the widely used open source XZ Utils code library used by was discovered, largely by luck, a week or two before it was scheduled for general release. Examples of other recent supply-chain attacks abound.
The researchers are in the process of further investigating the malware and how it became available for download in the WordPress plugin channel. Representatives of WordPress, BLAZE, and Social Warfare didnt respond to emailed questions. Representatives for developers of the remaining three plugins couldnt be reached because they provided no contact information on their sites. Advertisement
The Wordfence researchers said the first indication they found of the attack was on Saturday from this post by a member of the WordPress plugins review team. The researchers analyzed the malicious file and identified four other plugins that were infected with similar code. The researchers wrote further:
At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website. The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago. At this point we do not know exactly how the threat actor was able to infect these plugins.
Anyone who has installed one of these plugins should uninstall it immediately and carefully inspect their site for recently created admin accounts and malicious or unauthorized content. Sites that use the Wordfence Vulnerability Scanner will receive a warning if theyre running one of the plugins.
The Wordfence post also recommended people check their sites for connections from the IP address 94.156.79.8 and admin accounts with the usernames Options or PluginAuth. reader comments 25 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Promoted Comments Andrewcw I think the "Install Numbers" should be "Active Users" that wordpress is aware of.
If you look at the App that has 30K It has 1.7 Million Downloads for its lifetime. It must of sucked but given that it is a backdoor. They probably put in the malicious code in and took it out multiple times. Given that most people don’t have plug-ins as auto update on wordpress. Putting in and taking out the code constantly would be the best way to hide and be able to exploit sites. June 24, 2024 at 9:36 pm Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars