{"id":4172,"date":"2024-06-25T11:40:27","date_gmt":"2024-06-25T16:40:27","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/wordpress-supply-chain-attack-multiple-plug-ins"},"modified":"2024-06-25T11:40:27","modified_gmt":"2024-06-25T16:40:27","slug":"wordpress-supply-chain-attack-spreads-across-multiple-plug-ins","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/06\/25\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins\/","title":{"rendered":"WordPress Supply Chain Attack Spreads Across Multiple Plug-Ins"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A threat actor or actors has compromised <\/span>multiple plug-ins<\/a><\/span> on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.<\/span><\/p>\n

WordPress.org’s Plug-in Review team warned users on Monday that a plug-in called <\/span>Social Warfare<\/a><\/span> was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org <\/span>plug-ins<\/a><\/span> injected with the same code, according to <\/span>a blog post<\/a><\/span> published by Wordfence on June 24.<\/span><\/p>\n

In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: <\/span>Blaze Widget<\/a><\/span> v2.2.5 to 2.5.2; <\/span>Wrapper Link Element<\/a><\/span> v1.0.2 to 1.0.3; <\/span>Contact Form 7 Multi-Step Addon<\/a><\/span> v1.0.4 to 1.0.5; and <\/span>Simply Show Hooks<\/a><\/span> v1.2.1.<\/span><\/p>\n

Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.<\/span><\/p>\n

Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.<\/span><\/p>\n

None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version that’s been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.<\/span><\/p>\n

Malicious Behavior<\/h2>\n

The malicious code injected in the plug-ins “attempts to create a new administrative user account and then sends those details back to the attacker-controlled server” located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.<\/span><\/p>\n

“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow,” Chamberland added.<\/span><\/p>\n

The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still don’t know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.<\/span><\/p>\n

Mitigating Attacks Via WordPress Plug-Ins<\/h2>\n

Due to its widespread use as a foundation for websites, the <\/span>WordPress platform<\/a><\/span> and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target <\/span>singular plug-ins<\/a><\/span> with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.<\/span><\/p>\n

As such an attack demands greater vigilance, Wordfence \u2014 which focuses on the security of the <\/span>WordPress platform<\/a><\/span> \u2014 is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and “go into incident-response mode,” Chamberland said.<\/span><\/p>\n

“We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan” to remove any malicious code, she said.<\/span><\/p>\n

Wordfence also included in the post various indicators of compromise (IoCs) \u2014 including known usernames associated with attacker-controlled admin accounts \u2014 that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A threat actor or actors has compromised multiple plug-ins on<\/p>\n","protected":false},"author":12,"featured_media":4173,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4172","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/wordpress-supply-chain-attack-spreads-across-multiple-plug-ins.png?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4172"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4172\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4173"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}