CyberSecurity news

FlagThis - #supplychainattack

Aman Mishra@gbhackers.com //
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.

The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects.

In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • Ian Campbell: Just a heads-up on this supply chain attack on the Gravity Forms wordpress plugin, one IOC is POST requests to gravityapi[.]org - a 3 day old domain. That domain shares an IP with gravityapi[.]io. cc
  • Talkback Resources: WordPress Gravity Forms developer hacked to push backdoored plugins
  • gbhackers.com: Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection
  • Cyber Security News: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • securityonline.info: WordPress Supply Chain Attack: Gravity Forms Plugin Backdoored Through Official Downloads
  • gbhackers.com: Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain.
Classification:
@securebulletin.com //
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.

This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence.

Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • ciso2ciso.com: News and insights for CISOs from CISO2CISO.
  • cyberpress.org: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux, according to CyberPress.
  • hackread.com: Hackread reports on Backdoors in Python and NPM Packages Target Windows and Linux.
  • securityonline.info: Stealthy npm supply chain attack using typosquatting leads to remote code execution and data destruction.
  • Cyber Security News: PyPI Supply Chain Attacks Hit Python and NPM Users on Windows and Linux
  • The Hacker News: Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks
  • securebulletin.com: Sophos exposes massive GitHub campaign distributing backdoored malware
  • Catalin Cimpanu: A threat actor compromised 16 npm libraries from the Gluestack UI framework.
  • securityaffairs.com: Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages
  • The Hacker News: New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally
  • The Register - Security: Sophos thinks a single person or group called "ischhfd83" is behind more than a hundred backdoored malware variants targeting novice cybercriminals and video game cheaters looking to get their hands on malicious code.
  • www.darknet.org.uk: Attackers are now exploiting GitHub's Dependabot to inject malicious code through pull request workflows. Learn how this happens and what real-world impact it can cause.
  • Talkback Resources: TL;DR : Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code.
  • www.linkedin.com: LinkedIn Post discussing the Gluestack NPM supply chain attack
  • BleepingComputer: Supply chain attack hits Gluestack NPM packages with 960K weekly downloads
Classification: