Supply chain attack used legitimate WordPress plugins for backdoor sites


Supply chain attack used legitimate WordPress plugins for backdoor sites

fake images

Dozens of legitimate WordPress plugins downloaded from their original sources have been found at the backdoor via a supply chain attack, the researchers said. The backdoor has been found on “quite a few” sites running the open source content management system.

The backdoor gave attackers full administrative control of websites using at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers at JetPack, the security software maker owned by Automatic, the hosting service provider for WordPress.com, and a major contributor to the development of WordPress. In total, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

Unknowingly provide access to the attacker

in a mail Posted Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were intentionally introduced in a coordinated action after the themes and plugins were released. The affected software was available for download directly from the AccessPress Themes site. The same themes and plugins reflected on WordPress.org, the official site for developers of the WordPress project, remained clean.

“Users using software obtained directly from the AccessPress website unknowingly provided backdoor access to attackers, resulting in an unknown number of compromised websites,” wrote Ben Martin, a researcher at the web security firm Sucuri, in a separate article. back door analysis.

He said that the contaminated software contained a script called initial.php which was added to the main directory of the theme and then included in the main directory functions.php Archive. Initial.php, analysis shows, acted as a dropper that used base64 encoding to camouflage code that downloaded a payload from wp-theme-connect[.]com and used it to install the backdoor like wp-includes/vars.php. Once it was installed, the dropper self-destructed in an attempt to keep the attack stealthy.

The Jetpack post said that evidence indicates that the supply chain attack on AccessPress Themes was carried out in September. Martin, however, said evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess is that the people behind the backdoor were selling access to infected sites to people pushing web spam and malware.

He wrote: “With such a huge opportunity at hand, one would think that the attackers would have prepared an exciting new payload or malware, but unfortunately it appears that the malware we have found associated with this backdoor is more than expected. same: spam and redirects to malware and scam sites.”

The Jetpack release provides full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company’s offerings should carefully inspect their systems to ensure they’re not running a backdoor instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.

The attack is the latest example of a supply chain attack, which compromises the source of legitimate software rather than trying to infect individual users. The technique allows malefactors to infect large numbers of users and has the advantage of stealth, as the compromised malware originates from a trusted vendor.

Attempts to contact AccessPress Themes for comment were unsuccessful.


arstechnica.com

Leave a Reply

Your email address will not be published.