Over 90 WordPress themes, plugins backdoored in supply chain attack
Posted: Sun Jan 23, 2022 5:16 pm
This is an example of why we do not use WordPress for our websites.
A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites.
In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.
The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to the themes and plugins.
Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites.
A backdoor to give complete control
As soon as admins installed a compromised AccessPress product on their site, the actors added a new “initial.php” file into the main theme directory and included it in the main “functions.php” file.
This file contained a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file.
Encoded payload writing the webshell
Encoded payload writing the webshell
Source: Sucuri
The malicious code completed the backdoor installation by decoding the payload and injecting it into the “vars.php” file, essentially giving the threat actors remote control over the infected site.
The only way to detect this threat is to use a core file integrity monitoring solution, as the malware deletes the “initial.php” file dropper to cover its tracks.
According to Sucuri researchers who investigated the case to figure out the actors’ goal, threat actors used the backdoor to redirect visitors to malware-dropping and scam sites. Therefore, the campaign wasn’t very sophisticated.
It’s also possible that the actor used this malware to sell access to backdoored websites on the dark web, which would be an effective way to monetize such a large-scale infection.
https://www.bleepingcomputer.com/news/s ... in-attack/
A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites.
In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.
The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to the themes and plugins.
Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites.
A backdoor to give complete control
As soon as admins installed a compromised AccessPress product on their site, the actors added a new “initial.php” file into the main theme directory and included it in the main “functions.php” file.
This file contained a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file.
Encoded payload writing the webshell
Encoded payload writing the webshell
Source: Sucuri
The malicious code completed the backdoor installation by decoding the payload and injecting it into the “vars.php” file, essentially giving the threat actors remote control over the infected site.
The only way to detect this threat is to use a core file integrity monitoring solution, as the malware deletes the “initial.php” file dropper to cover its tracks.
According to Sucuri researchers who investigated the case to figure out the actors’ goal, threat actors used the backdoor to redirect visitors to malware-dropping and scam sites. Therefore, the campaign wasn’t very sophisticated.
It’s also possible that the actor used this malware to sell access to backdoored websites on the dark web, which would be an effective way to monetize such a large-scale infection.
https://www.bleepingcomputer.com/news/s ... in-attack/