A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat actors full access to websites.
In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.
The attack was uncovered by researchers from Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to themes and plugins.
Jetpack believes that an external threat actor hacked the AccessPress website to compromise the software and infect other WordPress sites.
A backdoor for full control
As soon as administrators installed a compromised AccessPress product on their site, actors added a new “initial.php” file to the main theme directory and included it in the main “functions.php” file.
This file contained a base64 encoded payload that writes a webshell to the “./wp-includes/vars.php” file.
The malicious code completed the backdoor installation by decoding the payload and injecting it into the “vars.php” file, essentially giving threat actors remote control of the infected site.
The only way to detect this threat is to use a basic file integrity monitoring solution, as the malware drops the “initial.php” file dropper to cover its tracks.
According to Juice researchers who investigated the case to understand the actors’ objective, the threat actors used the backdoor to redirect visitors to malware and scam drop sites. Therefore, the campaign was not very sophisticated.
It is also possible that the actor used this malware to sell access to stolen websites on the dark web, which would be an effective way to monetize such a large-scale infection.
Am I concerned?
If you have any of the compromised plugins or themes installed on your site, removing/replacing/updating them will not unroot any webshells that may have been planted there.
As such, website administrators are advised to scan their sites for signs of compromise by doing the following:
- Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function with obfuscated code, you’ve been compromised.
- Query your filesystem for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any files affected
- Replace your main WordPress files with fresh copies.
- Upgrade the affected plugins and switch to a different theme.
- Change wp-admin and database passwords.
Jetpack has provided the following YARA rule which can be used to check if a site has been infected and detect both the dropper and the installed webshell.
rule accesspress_backdoor_infection strings: // IoC's for the dropper $inject0 = "$fc = str_replace('function wp_is_mobile()'," $inject1 = "$b64($b) . 'function wp_is_mobile()'," $inject2 = "$fc);" $inject3 = "@file_put_contents($f, $fc);" // IoC's for the dumped payload $payload0 = "function wp_is_mobile_fix()" $payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');" $payload2 = "$g = $_COOKIE;" $payload3 = "(count($g) == 8 && $is_wp_mobile) ?" $url0 = /https?://(www.)?wp-theme-connect.com(/images/wp-theme.jpg)?/ condition: all of ( $inject* ) or all of ( $payload* ) or $url0
Backdoors detected in September
Jetpack first detected the backdoor in September 2021, and soon after, researchers discovered that the threat actors had compromised all free plugins and themes belonging to the provider.
Jetpack believes paid AccessPress add-ons were likely compromised but have not tested them, so this cannot be confirmed.
Most of the products had probably been compromised by early September because of timestamps.
On October 15, 2021, the vendor removed extensions from the official download portal until the point of compromise is located and fixed.
On January 17, 2022, AccessPress released new “cleaned up” versions for all affected plugins.
However, the affected themes have not yet been cleaned up, so migrating to a different theme is the only way to mitigate security risks.
Users of AccessPress plugins and themes can read Message from Jetpack for a complete list of fixed products.
BleepingComputer attempted to contact AccessPress about the compromise, but the contact form did not work.