Supply-Chain Attack on WordPress Plugins: A Closer Look

HFS Servers

Supply-Chain Attack on WordPress Plugins: A Closer Look

WordPress, the popular open-source content management system (CMS), has recently fallen victim to a supply-chain attack. In this sophisticated campaign, threat actors have surreptitiously backdoored several plugins hosted on WordPress.org, compromising thousands of websites. Let’s explore the details of this incident and its implications.

WordPress

The Attack

  1. Affected Plugins
    • At least five plugins have been identified as part of this attack:
      • Social Warfare (30,000 installs)
      • BLAZE Retail Widget (10 installs)
      • Wrapper Link Elementor (1,000 installs)
      • Contact Form 7 Multi-Step Addon (700 installs)
      • Simply Show Hooks (4,000 installs)
    • These plugins were manipulated by threat actors who injected malicious PHP scripts into their source code.
  2. How It Works
    • The attackers modified the plugins’ updates available on WordPress.org.
    • When users installed these seemingly legitimate updates, they unwittingly created an attacker-controlled administrative account on their websites.
    • This account grants full control over the compromised site, allowing the attackers to execute further actions.
  3. Code Analysis
    • The injected malicious code isn’t overly complex; it lacks heavy obfuscation.
    • Comments within the code make it easy to follow.
    • The earliest injection dates back to June 21st, 2024, and the attackers continued making updates as recently as 5 hours ago.
  4. Search Engine Manipulation
    • In addition to creating backdoors, the attackers added content designed to manipulate search engine results.
    • By doing so, they aimed to increase the visibility of their malicious sites.

Supply-Chain Attacks: A Growing Threat

Supply-chain attacks have become increasingly effective for threat actors. By compromising software at its source, they can infect a large number of devices when users innocently install trusted updates or installation files. Earlier this year, a similar incident was narrowly averted with the widely used XZ Utils code library.

Ongoing Investigation

Researchers are actively investigating how the malware became available for download via the WordPress plugin channel. Unfortunately, representatives from WordPress, BLAZE, and Social Warfare have not responded to inquiries.

Conclusion

As the threat landscape evolves, vigilance is crucial. Website administrators should verify the integrity of plugins and updates, and developers must prioritize security throughout the software supply chain.

Remember, even in the realm of open-source software, vigilance and caution are our best defenses against such attacks.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment