Cyber Security News

[Cyware] Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts

Cyware

Summary: Multiple WordPress plugins have been backdoored, allowing threat actors to create rogue administrator accounts and inject malicious code into websites.

Threat Actor: Unknown | unknown
Victim: WordPress | WordPress

Key Point :

  • Backdoored WordPress plugins have been used to create rogue administrator accounts and inject malicious code into websites.
  • The injected malware attempts to create a new administrative user account and sends the details back to the attacker-controlled server.
  • The threat actor also injected malicious JavaScript into the footer of websites, adding SEO spam throughout the site.
  • The admin accounts created have the usernames “Options” and “PluginAuth,” with the account information exfiltrated to the IP address 94.156.79[.]8.
  • The attack was first detected on June 21, 2024, but it is unclear how the plugins were compromised.
  • The affected plugins are no longer available for download from the WordPress plugin directory.
WordPress

Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions.

“The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland said in a Monday alert.

“In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.”

Cybersecurity

The admin accounts have the usernames “Options” and “PluginAuth,” with the account information exfiltrated to the IP address 94.156.79[.]8.

It’s currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024.

The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review –

Users of the aforementioned plugins are advised to inspect their sites for suspicious administrator accounts and delete them, in addition to removing any malicious code.

Source: https://thehackernews.com/2024/06/multiple-wordpress-plugins-compromised.html

“An interesting youtube video that may be related to the article above”

Tags: SPAM