"Malicious Plugins Found on 25,000 WordPress Websites: Study"
Security researchers at the Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites. The researchers analyzed nightly backups of more than 400,000 unique web servers and found the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today. The researchers noted that over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces such as CodeCanyon, Easy Digital Downloads, and ThemeForest. The researchers stated that the majority of these plugins did not use obfuscation to hide their malicious behavior. The dataset used for the research spanned over a period of eight years, between July 2012 and July 2020, and revealed a steady increase in the number of installed malicious plugins, with the activity reaching a peak in March 2020. The researchers stated that adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware via pirated plugins. Of the identified malicious plugins, more than 10,000 used webshells and code obfuscation. The researchers also identified cases of plugin-to-plugin infection, where a malicious plugin infects other plugins on the same web server, replicating its behavior. Overall, more than 40,000 of plugin instances were infected post-deployment. In many cases, attackers abused the infrastructure to inject malicious plugins into websites and then attempted to maintain access to the web servers. The results of the analysis were reported to CodeGuard, and work is underway to remediate the situation. However, the researchers stated that only 10% of website owners were seen attempting to clean up their installations, and more than 12% of the cleaned-up websites were reinfected.
SecurityWeek reports: "Malicious Plugins Found on 25,000 WordPress Websites: Study"