Over 90 WordPress themes, plugins backdoored in supply chain attack – BleepingComputer


A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites.

In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.

The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added …….

An monumental current chain assault compromised 93 WordPress themes and plugins to include a backdoor, giving menace-actors full entry to internet web websites.

In complete, menace actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons Utilized in over 360,000 lively internet web websites.

The assault was discowled by researchers at Jetpack, the creators of a safety and optimization system for WordPress web websites, who discowled that a PHP backdoor had been added to the themes and plugins.

Jetpack believes an exterior menace actor breached the AccessPress internet website to compromise the Computer software and infect further WordPress web websites.

A backdoor To current full administration

As quickly as admins put in a compromised AccessPress product on their website, the actors added A mannequin new “preliminary.php” file into The primary theme listing and included it Inside the primary “pertypes.php” file.

This file includeed a base64 encoded payload that writes a internetshell into the “./wp-consists of/vars.php” file.

Encoded payload writing the internetshell
Supply: Sucuri

The malicious code fulld the backdoor set up by decoding the payload and injecting it into the “vars.php” file, primarily giving the menace actors distant administration over the contaminated website.

The one Method to detect this menace is To make the most of a core file integrity monitoring reply, As a Outcome of the malware deletes the “preliminary.php” file dropper to cowl its tracks.

Based mostly on Sucuri researchers who investigated the case To Search out out the actors’ objective, menace actors used the backdoor to redirect visitors to malware-dropping and rip-off web websites. Subsequently, the advertising campaign wasn’t very refined.

It’s furtherly potential that the actor used this malware to promote entry to backdoored internet web websites on the darkish internet, Which might be An environment nice Method to mointernetize such An monumental-scale an infection.

Am I affected?

Everytime You’ve put in Definitely one of many compromised plugins or themes In your website, eradicating/changing/updating them gained’t uproot any internetshells Which will have been planted by way of it.

As such, internet website directors are suggested to scan their web websites for indicators of compromise by doing The subsequent:

  • Look at your wp-consists of/vars.php file round strains 146-158. Do You’d like to see a “wp_is_mobile_fix” pertype there with some obfuscated code, you’ve been compromised.
  • Question your file system for “wp_is_mobile_fix” or “wp-theme-join” to see if there are any affected information
  • Substitute your core WordPress information with current copies.
  • Improve the affected plugins and change to A particular theme.
  • Change the wp-admin and database passwords.

Jetpack has currentd The subsequent YARA rule That Can be make the most ofd To affirm if a website has …….

Source: https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plugins-backdoored-in-supply-chain-attack/