Getty Images
Dozens of legitimate WordPress add-ons downloaded from their original sources have been discovered through a backdoor in a supply chain attack, researchers have said. The backdoor was found on “a number” of sites running the open source content management system.
The backdoor gave attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the security software maker owned by Automatic, provider of the WordPress.com hosting service and major contributor to the development of WordPress. In total, Jetpack found that 40 AccessPress themes and 53 plugins were affected.
Giving access to the attacker unknowingly
In one Publish released on Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were intentionally introduced in a coordinated action after the themes and plugins were released. The affected software was available for download directly from the AccessPress Themes site. The same themes and plugins reflected on WordPress.org, the official website of the WordPress project developers, have been kept clean.
“Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites,” wrote researcher Ben Martin. from web security company Sucuri, in a separate article. backdoor analysis.
He said the contaminated software contained a script named initial.php which was added to the main theme directory and then included in the main directory functions.php to file. Initial.php, analysis shows, acted as a dropper that used base64 encoding to camouflage code that downloaded a payload from wp-theme-connect[.]com and used it to install the backdoor like wp-includes/vars.php. Once installed, the dropper self-destructed in an attempt to keep the attack stealthy.
Jetpack’s post said evidence points to the supply chain attack on AccessPress Themes being carried out in September. Martin, however, said the evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess was that the people behind the backdoor were selling access to infected sites to people spreading spam and malware across the web.
He wrote: “With such a great opportunity at hand, one would think the attackers would have prepared some exciting new payload or malware, but alas, it appears that the malware we found associated with this backdoor is more of the same: spam and redirects to malicious and fraudulent sites.”
The Jetpack message provides the full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company’s offerings should carefully inspect their systems to ensure that they are not running a stolen instance. Site owners can also consider installing a website firewall, many of which would have prevented the backdoor from working.
The attack is the latest example of a supply chain attack, which compromises the source of legitimate software rather than trying to infect individual users. The technique allows malefactors to infect a large number of users, and it has the advantage of being stealthy, since the compromised malware comes from a trusted vendor.
Attempts to contact AccessPress Themes for comment were unsuccessful.
