Researchers have found a total of 93 WordPress apps — 40 themes and 53 plugins — have been compromised as part of a large backdoor attack that gives threat-actors full access to the websites those add-ons have been used for.
How large is the supply chain attack? On one hand, it’s constrained to AccessPress, a single WordPress developer. But one the other hand, AccessPress’s add-ons are used on more than 360,000 active websites, making this a massive security incident.
We’ve said it before and we’ll say it again: Getting a quality antivirus software looks more and more like a necessity every day.
Researchers at security company Jetpack first discovered the attack when they noticed a PHP backdoor had been added to some themes and plugins.
Their theory is that an external threat actor breached AccessPress’s website in order to compromise all the software needed to more easily gain further access to a much larger swath of websites.
According to Bleeping Computer, once admins install one of these add-ons on their WordPress website, the threat actors slipped a new “initial.php” file (one with a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file) into the main theme directory and added it to the main “functions.php” file. Once in place, the payload would be decoded, giving the threat actors just what all hackers want: remote control of their target website.
The attack happened in September 2021, Sucuri researchers say, and went undetected until now.
Jetpack has put up a list of the compromised add-ons.
If you run a WordPress blog and the list of compromised softwares includes a plugin or theme you’ve installed between now and last September, you might be infected and you’ll need to check. Here’s how, according to website security company Sucuri:
If compromise, Sucuri recommends taking these steps:
Granted, this incident is just 93 themes and plug-ins, but there’s no harm in checking for the latest threat. As any IT professional can tell you, the online security job is never done.
WordPress has been having a bit of bad luck when it comes to malware attacks and vulnerabilities. Last November, the site ran into a spate of fake ransomware messages that demanded website owners fork over Bitcoin payments or see their files deleted — something that the attackers couldn’t actually accomplish.
The attacks aren’t only WordPress, of course. Last week, for example, we covered the ‘Whispergate’ malware family, which acts like ransomware, but which Microsoft says “lacks a ransom recovery mechanism” and is actually “designed to render targeted devices inoperable.”
As for this recently revealed add-on attack, the danger is over now, but a similar incident could be tough to avoid in the future. An antivirus software won’t hurt — we’d recommend McAfee or Norton — but the danger is always out there.
We’re sorry this article didn’t help you today – we welcome feedback, so if there’s any way you feel we could improve our content, please email us at [email protected]
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He’s also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he’s hunting own the latest news on VPNs, POS systems, and the future of tech.
1Password becomes one of Canada’s most valuable tech…
The phishing scam has been at large since 2021 and involves…
If the fake update is downloaded, the threat actor’s…
CEO Kris Marszalek said on Twitter that “no customer funds…
© Copyright 2022