The favored WordPress plugin Gravity Types has been compromised in what appears a supply-chain assault the place handbook installers from the official web site had been contaminated with a backdoor.
Gravity Types is a premium plugin for creating contact, fee, and different on-line kinds. Primarily based on statistic knowledge from the seller, the product is isntalled on round a million web sites, some belonging to well-known organizations like Airbnb, Nike, ESPN, Unicef, Google, and Yale.
Distant code execution on the server
WordPress safety agency PatchStack says it acquired a report earlier as we speak about suspicious requests generated by plugins downloaded from the Gravity Types web site.
After inspecting the plugin, PatchStack confirmed that it acquired a malicious file (gravityforms/widespread.php) downloaded from the seller’s web site. Nearer examination revealed that the file initiated a POST request to a suspicious area at “gravityapi.org/websites.”
Upon additional evaluation, the researchers discovered that the plugin collected intensive website metadata, together with URL, admin path, theme, plugins, and PHP/WordPress variations, and exfiltrates it to the attackers.
The server response contains base64-encoded PHP malware, which is saved as “wp-includes/bookmark-canonical.php.”
The malware masquerades as WordPress Content material Administration Instruments that allows distant code execution with out the necessity to authenticate utilizing features like ‘handle_posts(),’ ‘handle_media(),’ ‘handle_widgets().’
“All of these features will be known as from __construct -> init_content_management -> handle_requests -> process_request operate. So, it mainly will be triggered by an unauthenticated consumer,” Patchstack explains.
“From all the features, it should carry out an eval name with the user-supplied enter, leading to distant code execution on the server,” the researchers stated.
RocketGenius, the developer behind Gravity Types, was knowledgeable of the difficulty, and a employees member advised Patchstack that the malware affected solely handbook downloads and composer set up of the plugin.
Patchstack recommends that anybody who downloaded Gravity Types beginning yesterday reinstall the plugin by getting a clear model. Admins also needs to scan their web sites for any indicators of an infection.
In keeping with Patchstack, the domains facilitating this operation had been registered on July 8.
Hackers add admin account
RocketGenius has revealed a autopsy of the incident confirming that solely Gravity Types 2.9.11.1 and a pair of.9.12 accessible for handbook obtain between July 10 and 11 had been compromised.
If admins ran a composer set up for model 2.9.11 on any of the 2 dates, they acquired an contaminated copy of the product.
“The Gravity API service that handles licensing, computerized updates, and the set up of add-ons initiated from throughout the Gravity Types plugin was by no means compromised. All package deal updates managed via that service are unaffected” – RocketGenius
RocketGenius says that the malicious code blocked replace makes an attempt, contacted an exterior server to fetch further payloads, and added an admin account that gave the attacker full management of the web site.
The developer additionally supplies strategies for directors to verify for attainable an infection by following particular hyperlinks on their web sites.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
