The Aftermath of the WordPress.org Supply Chain Attack: New Malware and Techniques Emerge – Security Landscape Evolves
In late June 2024, a significant security breach affected the WordPress.org plugin repository. The incident began with the discovery of malware in the Social Warfare plugin, quickly expanding to impact multiple other plugins.
This event highlighted the vulnerabilities in open-source content management systems and the importance of robust security measures.
The attack’s scope widened over several days, prompting WordPress.org to implement a mandatory password reset for all users.
Security teams worked diligently to identify and combat the various malware strains , releasing protective measures for both premium and free users.
As the situation evolved, new malware variants emerged, necessitating ongoing vigilance and updates to security protocols.
Key Takeaways
- A major security breach affected multiple WordPress plugins in June 2024
- Security teams rapidly developed and deployed protective measures against the malware
- The incident underscored the need for enhanced security in open-source platforms
Novel Credential Theft Technique Emerges
A WordPress agency managing numerous sites fell victim to a sophisticated supply chain attack on July 14, 2024.
The compromise occurred through updates to the Blaze Widget and Social Warfare plugins, leading to unauthorized administrator accounts appearing on multiple websites.
The attackers employed a new malware variant, discovered in the plugins directory of an affected site. This malicious code was programmed to transmit data to a specific IP address: 94.156.79.8.
This address serves as a central hub for the hackers, collecting exfiltrated information and hosting malicious scripts.
Key aspects of this attack include:
- Delayed detection due to the stealthy nature of the compromise
- Use of legitimate plugin updates as an infection vector
- Creation of rogue administrator accounts for persistent access
Security experts have flagged the implicated IP address as malicious.
WordPress site owners are advised to:
- Regularly audit user accounts
- Implement robust security scanning
- Keep plugins updated from trusted sources only
This incident underscores the evolving sophistication of data breaches targeting popular content management systems. It highlights the critical need for vigilance and proactive security measures in the face of increasingly cunning cyber threats.
Unauthorized SMTP Credential Extractor Plugin Discovered
A concerning discovery was made on a website managed by a digital agency. An unauthorized plugin named “Custom Mail SMTP Checker” was found to be present, raising significant security concerns.
This plugin’s primary function appears to be the extraction and transmission of SMTP credentials used by the popular WP Mail SMTP plugin.
The code within this unauthorized plugin operates by hooking into WordPress’s admin_init action. It then checks for the existence of wp_mail_smtp options and, if found, proceeds to flatten the array of options.
The flattened data, along with the site’s URL, is then sent to a remote server via a POST request.
It’s important to note that this malicious activity differs from previous supply chain attacks on WordPress plugins.
While earlier incidents focused on spreading infections, injecting crypto malware, and maintaining unauthorized admin access, this new threat specifically targets SMTP credentials.
The potential impact of this unauthorized plugin may be limited due to the encryption measures implemented in recent versions of WP Mail SMTP.
Since October 2020, version 2.5.0 and later encrypt SMTP passwords by default, storing the encryption key separately. However, this doesn’t completely negate the risk.
Possible scenarios for credential misuse include:
- Attackers already having admin access, allowing them to retrieve encryption keys
- The malicious code being in a testing phase, with more sophisticated versions expected in the future
Website administrators who discover this unauthorized plugin should take immediate action:
- Change email passwords associated with the affected accounts
- Perform a comprehensive security audit and malware removal
- Review and update access controls for the WordPress installation
This incident serves as a reminder of best practices for email handling on WordPress sites:
- Use dedicated email accounts for website communications
- Avoid using personal or business-critical email accounts for site functions
- Regularly update and monitor all plugins, especially those handling sensitive data
While the WP Mail SMTP plugin itself is not vulnerable, this situation highlights the importance of vigilance in managing WordPress installations. Regular security audits, prompt updates, and careful monitoring of installed plugins are crucial steps in maintaining website security.
New Malware Variants Target WooCommerce and Braintree Data
Recent investigations have uncovered two additional malware variants affecting WordPress sites. These new threats specifically target WooCommerce order information and Braintree API data.
The first variant focuses on extracting WooCommerce order details. It operates by collecting order summaries through a custom function.
This malicious code then gathers crucial site information, including:
- Domain name
- Admin username
- Admin password
- WordPress login path
The malware bundles this sensitive data with any available order information and transmits it to a remote server controlled by the attackers. This process poses a significant risk to both website owners and their customers.
The second variant employs similar tactics but targets Braintree API information. Braintree, a popular payment processing service, handles sensitive financial data.
By compromising this information, attackers gain potential access to payment-related details.
Both malware variants utilize exfiltration scripts to steal data.
These scripts employ curl requests to send the collected information to attacker-controlled IP addresses. The use of HTTPS in these requests may make detection more challenging.
Key risks associated with these malware variants include:
- Exposure of customer personal information
- Theft of payment processing credentials
- Potential financial fraud
- Damage to website reputation
Website owners should remain vigilant and implement the following protective measures:
- Regularly scan for malware
- Keep WordPress core, plugins, and themes updated
- Use strong, unique passwords for admin accounts
- Implement two-factor authentication
- Monitor site activity for unusual behavior
By staying informed about these emerging threats and taking proactive security measures, WordPress site owners can better protect their websites and customer data from malicious actors.
Identifying Signs of Infection
Several key indicators can help detect potential malware infiltration resulting from the recent WordPress supply chain attack. Security professionals should be vigilant for specific file names and IP addresses associated with this threat.
The presence of the IP address 94.156.79.8 in PHP files or detected during malware scans strongly suggests data exfiltration. This IP serves as a reliable marker of malicious activity.
Suspicious plugin file names to monitor include:
- informative/testplugingodlike.php
- core_plug/godlikeplug8.php
- braintree-api-key-sender3/braintree-api-key-sender.php
- hello-world/`xg.php
- hello-world/hello-world.php
- custom-mail-smtp-checker/custom-mail-smtp-checker.php
While these names may evolve, the associated IP remains a consistent indicator of malicious code.
In some instances, cryptomining JavaScript has been injected directly into cached pages.
Sites using caching plugins should run thorough malware scans on these cached files, which may trigger alerts for the aforementioned IP address. After completing a full site cleanup, clearing the cache is strongly recommended.
Security teams should remain alert to new variations of malware and file names as threat actors adapt their tactics.
Regular scans, code reviews, and monitoring of file system changes are crucial steps in maintaining WordPress site security and swiftly identifying potential compromises.
Key IP Addresses
The attackers utilized the IP address 94.156.79.8 as a central hub for their malicious activities.
This server hosted harmful JavaScript code and functioned as a data collection point. Network administrators should closely monitor and block traffic to this IP to help prevent compromise.
Suspicious Administrative Usernames
Several unusual usernames have been identified as potential indicators of compromise in WordPress administrative accounts.
The names “PluginAUTH”, “PluginGuest”, and “Options” warrant immediate investigation if found among administrator users.
Additionally, randomly generated usernames like “aaBGFtd” and “aaCmiuz” may signal unauthorized access attempts.
Some affected sites report thousands of such accounts.
WordPress administrators should regularly audit user lists and promptly remove any suspicious entries with elevated privileges.
Aftermath and Protective Measures
The recent WordPress.org plugin supply chain attack has led to the emergence of sophisticated malware variants. These new strains focus on extracting credentials beyond WordPress, targeting email and payment processing accounts.
To combat these threats, security firms have developed updated malware signatures.
Premium users of certain security services receive immediate protection, while free users typically experience a 30-day delay.
For compromised sites, a thorough cleaning process is essential. Consider the following steps:
- Conduct a comprehensive site scan
- Remove all malicious code
- Update all plugins and themes
- Change all passwords
- Implement stronger security measures
Professional incident response services are available for those seeking expert assistance.
These services often provide round-the-clock support throughout the year.
Plugin developers should remain vigilant and adopt best practices:
- Regularly audit code
- Use strong, unique passwords
- Implement two-factor authentication
- Keep development environments secure
The WordPress.org plugin review team plays a crucial role in maintaining ecosystem security.
Their ongoing efforts to detect and remove compromised plugins are vital for user protection.
Common Questions About the WordPress.org Attack
How can websites protect themselves from future supply chain threats?
Website owners can take several steps to guard against supply chain attacks:
- Implement strict plugin vetting processes
- Regularly update and patch all software components
- Use reputable security plugins to monitor for suspicious activity
- Enable two-factor authentication for all admin accounts
- Conduct frequent security audits of installed plugins and themes
What new hacking techniques have emerged after the WordPress.org incident?
The WordPress.org supply chain attack has led to new malicious tactics:
- Injection of stealthy backdoors into seemingly benign plugin code
- Use of obfuscated malware to evade detection
- Exploitation of trusted update mechanisms to spread malicious code
- Targeting of developer accounts through credential stuffing attacks
What immediate actions should admins take if they suspect a supply chain compromise?
Upon suspecting a supply chain attack, administrators should:
- Immediately disable and remove affected plugins
- Conduct a thorough security scan of the entire website
- Change all admin passwords and access credentials
- Review server logs for signs of unauthorized access
- Restore the site from a clean backup if available
How do supply chain attacks affect end users of compromised platforms?
End users may experience:
- Theft of personal data or login credentials
- Injection of malware onto their devices
- Redirection to malicious websites
- Degraded website performance or functionality
- Loss of trust in affected platforms and plugins
What long-term effects might the WordPress.org attack have on plugin developers?
The supply chain attack could lead to:
- Increased scrutiny and vetting of plugin submissions
- Stricter security requirements for developer accounts
- Enhanced code review processes for plugin updates
- Greater emphasis on secure coding practices
- Potential loss of user trust and plugin adoption rates
How has the WordPress.org incident influenced industry cybersecurity practices?
The attack has prompted several changes in the wider cybersecurity landscape:
- Heightened awareness of supply chain vulnerabilities
- Increased investment in software supply chain security measures
- Adoption of more rigorous code signing and verification processes
- Growing emphasis on developer account security and access controls
- Expanded use of automated security scanning tools in software repositories
Building better solutions for better business®
