For a while WordPress has been very popular amongst users. These also make use of a wide range of functional plug-ins that are offered by WordPress itself and some other vendors. Mostly all goes well, but just before Christmas 2017 however, the WordPress security plug-in WordFence noticed some inconsistencies. Further investigation revealed a hidden backdoor in the CAPTCHA plug-in.
Now this free CAPTCHA plug-in, developed by plug-in programmer BestWebSoft for WordPress was resold to a company named Simplywordpress who took its time to re-program the CAPTCHA plug-in and then released an updated version 4.3.7. Somehow issues with the plug-in’s trademark rights came up and WordPress decided to delete it from their website WordPress.org. At that point, everything was still fine security wise.
But things changed quickly due to a rule implemented by WordFence itself. This security rule routinely inspects high-volume plug-ins that have been removed. Thus WordFence Security discovered a backdoor and immediately warned the WordPress Security Department. To keep the approximately 300.000 users of that particular plug-in safe, the department worked hard on an update of an older clean version (4.4.5).
This cleaned-up version immediately installed itself and was able to repair about 100,000 infected plug-ins in various WordPress blogs. Most importantly, it was made sure, that Simplywordpress could not publish updates in future. At the same time WordFence toughened-up security: The app’s firewall now blocks the CAPTCHA plug-in as wells as five other plug-ins from this vendor. Also, no update from this vendor can go online without having been previously checked by WordPress.
So what was the backdoor all about?
Interestingly the manipulated code hidden in the plug-in wasn’t as dangerous as it first appeared to be. Its purpose was to silently create backlinks to various commercial websites and spam domains and help increase the Google ranking of some websites. Websites of Mason Soiza, owner of a SEO company, and Stacy Wellington. Soiza is no stranger for them, having connections to Simply WordPress. He’s been caught before, trying to integrate backdoors into popular display widgets and also likes to procure WordPress plug-ins, in which he then programs backdoor code.
This is how the backdoor work
Its automatic downloader then grabs a zipped file from https://simplywordpress.net/captcha/captcha_pro_update.php and transfers the backdoor to its destination. That then had the task to establish a session using the user ID 1, to set the cookies for authentication and finally to delete itself. During research, security experts found various other update packages on the simplywordpress domain for other WordPress plug-ins, including: Social Exchange, Covert Me Popup, Smart Recaptcha, Human Captcha and Death To Comments.
vBulletin Solutions who operate a very popular internet forum platform was also affected and had to release urgent patches such as: vBulletin 5.3.4 Patch Level 1, vBulletin 5.3.3 Patch Level 1 and vBulletin 5.3.2 Patch Level 2. One of the vulnerabilities found here, allowed unauthenticated attackers to remove any files within a vBulletin program. Another vulnerability allowed any type of code to run on Windows-based Web servers. Unfortunately, the mentioned patches could only be published with some delay, leaving a zero-day situation for quite some time.
Well-known companies such as Sony Pictures, Zynga, Valve Corporation, Electronic Arts and even NASA use vBulletin. It apparently seems to be quite common in this business sector that popular software apps are maliciously manipulated following their resale. Security experts report similar issues with browser extensions. Therefore it would also be feasible to maliciously manipulate all common SDKs, libraries and other third-party components too.