An alarming security breach has surfaced, affecting widely-used WordPress plugins PushEngage, OptinMonster, and TrustPulse. Trusted JavaScript files associated with these plugins were altered by attackers to create unauthorized access points on websites. This breach has raised significant concerns about the security of sites utilizing these plugins.
Details of the Attack
The attack involved modifying JavaScript files, which, when loaded by a logged-in site administrator, allowed the creation of an admin account under the attacker’s control. Additionally, a concealed plugin was installed, enabling future access. Ordinary site visitors were unaffected. Security firm Sansec uncovered this campaign on June 13, identifying malicious code within the JavaScript for all three plugins.
Specifically, PushEngage confirmed that attackers distributed tampered scripts, leading to potential site takeovers. Despite being part of the same company, Awesome Motive, OptinMonster and TrustPulse have not issued any official statements.
Impact and Scale
The exposure period varied among the plugins. While OptinMonster and TrustPulse experienced a brief 25-minute vulnerability on June 12, PushEngage’s scripts remained compromised for several hours and were still being served as late as June 14. Collectively, these plugins reach over 1.2 million sites, with OptinMonster alone accounting for over a million active installations.
The tampered scripts activated only during admin sessions, making detection challenging. The hidden plugin effectively provided attackers with a remote command channel, allowing them to execute various malicious activities undetected.
Investigation and Response
There is some disagreement regarding how the attackers initially gained access. PushEngage suggests the breach began with a vulnerability in the UpdraftPlus backup plugin, leading to the compromise of their marketing server, which contained a critical CDN API key. Sansec, however, has yet to confirm this entry point, indicating the breach’s origin is still undetermined.
Following the incident, PushEngage replaced compromised files, cleared CDN caches, and updated credentials. However, these actions do not reverse any damage already done to compromised sites.
Steps for Website Owners
Website administrators using these plugins during the attack window should conduct thorough server-side scans, as dashboard checks will not reveal the hidden backdoors. Files within the wp-content/plugins directory should be examined for unauthorized folders such as ‘content-delivery-helper’ or ‘database-optimizer.’ Logs should be reviewed for suspicious activity, particularly traffic to the domain tidio.cc and IP address 84.201.6.54.
If any indicators of compromise are found, immediate actions include changing all passwords, API keys, and updating the wp-config.php file to ensure site security. The responsibility falls on site owners to remain vigilant and proactive in safeguarding their digital assets.
