What's Happening?
A significant security breach has been identified involving several popular WordPress plugins, which have been hijacked to install hidden backdoors and unauthorized administrator accounts on approximately 1.2 million websites. The attack, uncovered by
Dutch malware research firm Sansec, targeted JavaScript code used by the plugins OptinMonster, TrustPulse, and PushEngage, all managed by WordPress vendor Awesome Motive. The malicious code was distributed through Awesome Motive's delivery network, affecting any site that loaded the scripts. The attack remains dormant until a logged-in administrator accesses a page, at which point it creates a new admin account and installs a self-concealing backdoor plugin. This breach is reminiscent of the 2024 Polyfill attack, where a single compromised file impacted numerous sites. The exact method of entry for the attackers is still unknown, but potential entry points include Awesome Motive's servers or its CDN account.
Why It's Important?
This breach highlights the vulnerabilities in the supply chain of widely used software plugins, posing a significant risk to website security. With the affected plugins being integral to millions of websites, the potential for widespread exploitation is high. The creation of rogue administrator accounts and backdoors could lead to unauthorized access and control over these sites, potentially resulting in data theft, defacement, or further malware distribution. This incident underscores the critical need for robust security measures and monitoring within software supply chains, especially for platforms like WordPress that power a substantial portion of the internet. Website owners and administrators using Awesome Motive plugins are advised to be vigilant for unusual admin accounts and suspicious traffic, as these could indicate a compromise.
What's Next?
Website administrators using the affected plugins should immediately check for unfamiliar administrator accounts and monitor traffic for connections to suspicious domains like tidio[.]cc. Sansec has urged users to act swiftly if any signs of compromise are detected. Meanwhile, Awesome Motive is likely to investigate the breach to identify the entry point and prevent future attacks. The company may also need to issue updates or patches to secure the compromised plugins. This incident may prompt broader discussions and actions within the tech community to enhance the security of software supply chains, potentially leading to new standards or practices to prevent similar attacks.
