GoKawiilWordPress plugins OptinMonster, TrustPulse, and PushEngage have been compromised in a supply-chain attack impacting Awesome Motive's content distribution network (CDN).
Of the three products, the OptinMonster lead-generation and conversion optimization platform is the most popular, with at least 1.2 million websites using it.
E-commerce security firm Sansec discovered the attack over the weekend and found that malicious scripts were served to unsuspecting OptinMonster and TrustPulse users on Friday between 22:17 UTC and 22:42 UTC.
PushEngage continued to serve malicious JavaScript code until 19:02 UTC on Saturday.
The malware triggered only when a WordPress administrator visited a page on an infected website, collecting authentication tokens and nonces, and using them to create a rogue administrator account.
The intruders then installed a self-hiding backdoor plugin and established a communication channel with a domain impersonating Tidio to send any newly captured data.
The plugin also provided full remote access capabilities, including a web shell ("WPM File Manager & Shell") and arbitrary PHP code execution, granting attackers full control of compromised websites.
“The operator rotates the plugin's disguise while keeping the logic byte-identical across renames,” Sansec says.
“We have observed it shipping as "Content Delivery Helper" (content-delivery-helper, v2.7.1) and, currently, as "Database Optimizer" (database-optimizer, v2.9.4).”
Awesome Motive published a security advisory earlier today about the incident, explaining that hackers gained access to a server in its environment after exploiting a known flaw in the UpdraftPlus WordPress plugin.
... continue reading