AccessPress, a popular WordPress theme and plugin provider, was compromised in early September 2021 and several of their themes and plugins were injected with a backdoor. This gave the attackers full access to websites that installed these plugins. While the plugins and themes available on the vendor’s website were infected, the same plugins and themes available on WordPress directory were not infected. FinGarde recommends replacing/updating WordPress if you believe you have used any of these themes or plugins, and hunting for certain file changes detailed in our full recommendations below.
Technical Detail & Additional Information
WHAT IS THE THREAT?
AccessPress, a popular WordPress theme and plugin provider, was compromised in early September of 2021 and several of their themes and plugins were injected with a backdoor. A backdoor is a method which allows unauthorized remote access to a system or application. Backdoors can be installed by hackers, IT professionals, governments, etc. and are typically used for spying, data theft, cryptojacking, infecting websites or to install other malware. Common examples of backdoors include Trojans, rootkits, hardware backdoors and cryptographic backdoors. A backdoor can be installed in the target software, or it can be embedded in the hardware making it more difficult for traditional anti-virus/anti-malware tools to identify it. The attack on AccessPress also qualifies as a supply chain attack, wherein an attacker gains access to an organizations’ network/services by attacking the vendor or services provided by a vendor that are used by that organization.
WHY IS IT NOTEWORTHY?
Attacking a vendor’s website and then injecting its’ products with a backdoor qualifies this as a supply chain attack. WordPress themes are widely used to make websites graphically more presentable, and WordPress plugins are small software additions which run on top of existing WordPress software. Every organization downloading these plugins will become infected and are at risk of becoming compromised if proper security practices are not in place.
WHAT IS THE EXPOSURE OR RISK?
The attackers have injected the extensions with a dropper for a webshell that gives the attacker complete access to the infected sites. The attackers are suspected of selling the access to infected websites to other cybercriminals, as some of the infected websites were observed to be carrying a spam payload. The spam payloads in question were most commonly used to redirect the users to other malicious websites. The websites using these plugins or themes are at the risk of becoming compromised and fully exposed to the attackers, leading to loss of data and public reputation.
WHAT ARE THE RECOMMENDATIONS?
FinGarde recommends the following actions to limit the impact of a backdoor attack:
- Replace the infected plugins or themes with the latest versions available from WordPress repository.
- Install a clean version of WordPress to remove any modifications done by the attackers.
- Perform thorough review of the website code to identify any other potentially malicious code.
- To identify if the website is infected or not, check the “wp-includes/vars.php” file around line 146-185 for “wp_is_mobile_fix” function with some obfuscated code.
- Query file systems for “wp_is_mobile_fix” or “wp-theme-connect” to identify infected files.
- Change all the admin, user and database passwords.
- Follow incident response process to identify and remove any post-exploitation activities.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact us.