Massive Supply-Chain Attack Compromises 1.2 Million WordPress Sites
In a significant cybersecurity breach, attackers have exploited vulnerabilities in several widely-used WordPress plugins, resulting in the injection of hidden backdoors and the creation of rogue administrator accounts on approximately 1.2 million websites. This disturbing information was unveiled by the Dutch malware research firm, Sansec, on June 13.
The ongoing supply-chain attack targeted the JavaScript elements served for key plugins including OptinMonster, TrustPulse, and PushEngage, all maintained by the WordPress vendor Awesome Motive. Instead of relying on traditional methods to infiltrate victim servers, the malicious code took a more insidious approach, utilizing Awesome Motive’s own delivery system. Any website that loaded these plugins unwittingly pulled the compromised files directly from the source, thus ensuring widespread infection.
Notably, the nefarious code remains dormant until a logged-in administrator accesses the affected page, posing no immediate threat to ordinary visitors. This strategy highlights the attackers’ understanding of WordPress architecture and their ability to craft a method that minimizes immediate detection.
Mechanics of the Attack
Once an administrator is identified, the injected script comes to life, executing a series of harmful actions. It creates a new administrator account, installs a self-concealing backdoor plugin to maintain access, and sends the newly generated credentials to a domain mimicking the legitimate chat service, tidio.com. This process effectively allows the attackers to take full control over the compromised sites.
OptinMonster itself boasts over a million installations, with TrustPulse and PushEngage contributing considerably to the total number of affected websites. Given this breadth of impact, Sansec has warned that the potential for misuse against regular visitors is high, raising alarms about data breaches and unauthorized access.
A comparison was drawn by Sansec between this incident and the Polyfill attack of 2024, which similarly affected thousands of downstream sites due to the poisoning of a single upstream file. The strategic implications of this parallel highlight the growing sophistication of supply-chain attacks in the digital space.
Investigating the Breach
Despite the alarming nature of these developments, the exact method that allowed attackers to execute their plan remains unclear. Sansec speculated that the point of entry could have been Awesome Motive’s own servers, its Content Delivery Network (CDN) account, or potentially the BunnyNet network that supports its operations. While the investigation is still ongoing, the uncertainty surrounding the entry point adds an additional layer of concern for users relying on these prevalent plugins.
Limited Exposure but Persistent Threat
Interestingly, the exposure windows for the compromised code appeared brief. Sansec recorded the tampered scripts for OptinMonster and TrustPulse for about half an hour on June 12 before they were taken down, suggesting that Awesome Motive may have become aware of the situation. However, the malicious script for PushEngage continued to serve malware as of June 13, signifying that not all vectors were addressed immediately.
While only these three plugins have been confirmed as compromised thus far, Awesome Motive’s portfolio extends far beyond, covering tens of millions of sites through a variety of products, including:
- WPForms: Over six million installations
- All in One SEO: Approximately three million users
- MonsterInsights: Roughly two million installations
Despite their lack of confirmation as compromised, these plugins’ widespread usage raises the stakes considerably. Sansec has urged anyone utilizing an Awesome Motive plugin to exercise vigilance, specifically monitoring for any unfamiliar administrator accounts and suspicious traffic directed to tidio[.]cc. Users who notice these red flags are encouraged to act swiftly to safeguard their sites.
As the cybersecurity community continues to dissect this attack, Infosecurity has reached out to Awesome Motive for a response, hinting at the potential for more revelations in the coming days.
In summary, this incident serves as a stark reminder of the vulnerabilities inherent in the digital ecosystem, particularly in widely used plugins and systems. The ability for attackers to leverage legitimate infrastructure underscores the critical need for ongoing vigilance and robust security measures in the ever-evolving landscape of cybersecurity threats.