On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository.
We immediately notified the WordPress Plugin's Team and they removed the malicious content from the plugins and performed some automated actions to invalidate the passwords of the injected administrator accounts.
All Wordfence users will be notified by the Wordfence plugin and Wordfence CLI if they are running a vulnerable version of one of the plugins, and they should update the plugins immediately where available.
In the past, we investigated and led the story about Mason Soiza, a malicious threat actor who bought a series of WordPress plugins for the sole purpose of injecting SEO pharma spam into them.
We've seen plugin authors with malicious intent inject malware to leverage their paying customers to DDoS competitors and harvest user data in the Pipdig scandal, and we've seen other plugin authors simply inject backdoors into their plugin allowing them to log in as administrators.
WordPress.org and plugin developers are the supplier, while WordPress site owners are the ones using the product and receiving the supply.
It's no surprise that WordPress plugins and themes, an element in the WordPress supply chain, are a prime target for threat actors.
WordPress site owners are often reminded that the best practice is to keep plugins and themes up to date, making it fairly easy for an attacker to be successful in infecting a large number of victim sites once they go to update their plugins/themes, granted the attacker is able to infect the plugin or theme prior to it being updated on the WordPress site.
Inexperienced developers using random code tutorials, poorly trained AI introducing vulnerabilities and malware, external libraries used in plugin code, committer accounts on WordPress.org, and even the infrastructure supporting these supply points could all be targets.
During our investigation, we found that there appeared to be no clear correlation between the various plugin authors making the commits that would lead us to believe that someone took ownership of these plugins and then infected them.
The first was that these developer accounts with commit access were simply compromised and then leveraged to push updates to these plugins, and the second was that WordPress.org infrastructure was compromised in some way that made it possible for the attacker to commit updates to the plugins.
None of the affected plugins had more than 40,000 users, and there was no relationship between the various different plugins.
The first plugin that appears to have been infected was Blaze Widgets, a plugin that hadn't been updated in 4 years, which all of a sudden had a commit with the message recon four months ago.
Provide access to some tools such as 2FA for.org accounts and release confirmation emails, though given the history of security vulnerabilities in WordPress plugins and themes, it's likely a fair amount of developers are not actually utilizing these security features.
We did find that the five plugin author accounts associated with the commits appear to be disabled, and additional plugins under their development have been closed for downloads.
If you have a high value WordPress site running, and you can't review the code, then hire a security professional to review and manage your plugin updates for you.
Abandoned plugins are a prime target for attackers because it means the developer is likely not active on WordPress.org and their account could have weak security making it susceptible to compromise.
It can be hard for a Web Application Firewall to prevent a supply chain attack like this from occurring due to the fact that a plugin update is inconspicuous and appears mostly legitimate.
In today's post, we highlighted the recent supply chain attack on WordPress that led to 35,000 sites being affected by malicious code due to a threat actor pushing updates to plugins in the WordPress.org repository.
While it can often be difficult to prevent supply chain attacks from being detected and prevented due to their stealth and nature, we hope that we've provided enough security guidance and information to help both site owners protect themselves from supply chain attacks, and developers preventing their plugins from being a successfully compromised target in a supply chain attack similar to the one we've highlighted today.
This Cyber News was published on www.wordfence.com. Publication date: Wed, 26 Jun 2024 22:13:06 +0000