- Vulnerability in UpdraftPlus plugin on Awesome Motive’s marketing server enabled CDN compromise and malicious JavaScript injection
- Malware targeting logged in WordPress admins, harvesting tokens and creating rogue accounts for full takeover
- Site owners are encouraged to check for fake admin accounts (‘developer_api1’, ‘dev_xxxxxx’), hidden backdoor plugins and rotate credentials/security salts
More than a million WordPress websites were at risk of full website takeover after a vulnerability in a plugin enabled a large-scale supply chain attack. The attack was discovered over the weekend by e-commerce security outfit Sansec and later confirmed by the victim company.
According to the researchers, hackers found and exploited a vulnerability in the UpdraftPlus WordPress plugin running on a marketing server belonging to Awesome Motive, the company behind several popular WordPress products, including OptinMonster, TrustPulse and PushEngage.
Although the vulnerable server was not part of the production environment, it stored credentials for the company’s content delivery network (CDN), and by using the stolen CDN API key, the attackers were able to modify JavaScript files distributed through Awesome Motive’s CDN.
Targeted at administrators only
The compromised files were later used by OptinMonster, TrustPulse and PushEngine, meaning that the attackers’ JavaScript was served to visitors, but not all of them.
The malware was only activated when a logged in WordPress admin visited an affected site, helping it remain hidden while targeting only high-privilege users. The malicious script then harvested admin authentication tokens and WordPress nonces and used them to create new admin accounts.
In the next step, the attackers installed additional malicious plugins, established command-and-control infrastructure, and began exfiltrating sensitive data. The malware also enabled web-shell functionality, arbitrary PHP code execution, file handling capabilities, and pretty much anything else an administrator could do.
Even after Awesome Motive removed the malicious CDN scripts, the attackers retained control of already compromised websites through the rogue administrator accounts and hidden backdoor plugins. Therefore, site owners at risk of takeover should look for rogue admin accounts named ‘developer_api1’ or ‘dev_xxxxxx’, inspect the file system directly under wp-content/plugins for hidden backdoor plugins, and perform server-side malware scans.
Additionally, they should rotate admin passwords, API keys, database credentials, and WordPress security salts.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
