- Ongoing cyber attack compromises the BuddyBoss update system
- Malicious updates steal admin credentials, Stripe keys and databases
- Hundreds of websites are already affected; thousands more at risk, administrators urged to disable automatic updates and rotate credentials
A major cyber attack against websites running the BuddyBoss WordPress plugin is currently underway and users are being urged to secure their assets or risk complete compromise and site takeover.
BuddyBoss is a WordPress platform and theme that people can use to create online communities, membership sites, and e-learning platforms. It apparently has 50,000 customers, including 27,000 BuddyBoss Platform and BuddyBoss Theme package users.
According to Cybernews, an unidentified French-speaking threat actor somehow broke into the system that delivers software updates to BuddyBoss. There, they used Claude to help write malicious code and figure out how to push it to the update server.
The article continues below
Hundreds of compromised websites
Popular AI tools such as Claude have strict firewalls that prevent this kind of abuse, but the attackers managed to trick it (probably by pretending it’s a harmless hacking challenge).
After managing to insert malware into the updates, they simply waited for users to install them, compromising their websites in the process. This attack was only discovered on March 19, it said. The malware is designed to steal admin passwords and API keys, copy entire databases, and open a backdoor to allow remote access.
According to Cybernews, some of the data already stolen in the campaign includes Stripe payment keys, making this campaign particularly concerning.
Compromised versions are BuddyBoss Platform 2.20.3 and BuddyBoss Theme 2.19.2. All site administrators using any of these are encouraged to temporarily disable automatic updates, revert to server backups made prior to updating to these versions, and then analyze their server logs for potential indicators of compromise. Finally, all passwords, API tokens, and other credentials should be rotated as soon as possible.
Cybernews says “hundreds of websites” have already been compromised, with “thousands” more at risk. At press time, at least 309 websites have had their credentials and databases exfiltrated.
Via Cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
