Attacker find new way to install Backdoored Plugins on WordPress sites

Hackers have discovered an unprecedented method of installing backdoor plugins on websites running the open source CMS WordPress. This approach relies on the use of weakly protected accounts and the Jetpack plugin.

This method is very complicated. In order to take a website, hackers must go through different steps, and in the process, the emergence of multiple things will lead to the failure of the attack. Despite this, according to the WordPress report, there have been many cases of attacks since May 16.

The attack procedure is roughly as follows:

  1. Hackers obtain usernames and passwords from open vulnerabilities and attempt to log into accounts. Users who use the same password and do not enable two-factor authentication are particularly vulnerable to attacks.
  2. Hackers install background plugins via Jetpack, one of the most popular plugins for WordPress websites. The plug-in features the ability to connect a self-hosted WordPress website to a account

Image: Wordfence

One of Jetpack’s feature options is the ability to install plug-ins across Jetpack dashboards across different sites. The plug-in doesn’t even have to be hosted or hidden in the official repository. An attacker can easily upload a ZIP file with malicious code and send it to each site.

According to security experts, the attack started on May 16th and the hackers deployed a plugin called “pluginsamonsters” and switched to another plugin called “wpsmilepack” on May 21.

The number of currently infected sites is unknown and it is difficult to detect infected sites.

Developers are advised to immediately change their account password if they find suspicious plugins, enable two-factor authentication for that account, and initiate a site cleanup procedure.

Source: bleepingcomputer