Supply Chain Attack on WordPress - STG

Supply Chain Attack on WordPress

Welcome to the latest edition of Another Week, Another Hack.  Today, let's discuss a recent Supply Chain Attack that has back-doored over 90 WordPress themes and plugins.  Ouch, and the hits just keep on coming.

What is a back-doored server?

When a server is back-doored through an attack, it refers to an attempt by unauthorized users...threat actors, to bypass standard security measures and achieve high-level user access to a computer system, network, or software application. 

This attack gave threat actors full access to websites by compromising 93 WordPress Plugins and Themes. Specifically, threat actors gained access to 40 themes and 53 plugins from AccessPress. AccessPress is a WordPress add-on developer active on over 360,000 websites.

Jetpacks discovery of the attack

In fact, researchers at Jetpack, noticed that a PHP backdoor had been installed to the themes and plugins. Therefore, leading to the discovery of the attack. Jetpack is the makers of a security and optimization tool for WordPress sites.

An external threat actor, according to Jetpack, broke into the AccessPress website in order to compromise the software and infect other WordPress sites.

Admins unknowingly installed a compromised AccessPress product on their site, and as soon as that happened, bad actors were able to upload some malicious code giving them full command shell access to the sites.

There's no real easy way to monitor for this sort of activity unless you've got some advanced threat detection running.  If you don't, and you're and AccessPress user, it's safer to assume compromise. 

Sucuri researchers who had investigated the incident figured out the goals of these threat actors were to leverage the backdoor to send users to malware-dropping and scamming sites. It is probable, that the use of this malware was to sell access to back-doored websites through the dark web. 

You might hear this and ask yourself, does this affect me? 

Unfortunately, if you did happen to install a compromised plugin or theme onto your site, removing it or updating it will not get rid of any web shells that have been rooted there. 

Website administrators have been advised to check their sites for any compromise.

Check if your site is clean

The company Jetpack who had noticed the PHP backdoor actually provided the public with a YARA rule to check if your site has been infected. Click here to check for your site!

JetPack had first noticed the backdoor in September of 2021 and after some deeper research found that the attack compromised all free plugins and themes that belonged to them. 

The extensions were taken down from the download portal until the compromise could be located and fixed.

Early this year, AccessPress released all new and "cleaned" plugin versions for those affected. The themes however, remain uncleaned. Cycling to a different theme is the only way to lessen the threat of the security breach.

JetPack released a complete list of fixed products that you can find in their blogpost. 

If you are looking for a company to take care of your cyber security needs, check out our offerings.

So, yeah. Website admins, be safe out there. Make sure you are taking the proper precautions to mitigate the impact of a supply chain backdoor attempt. And feel free to read JetPack's blog post, they offer some insight to help those affected by this WordPress attack.

If you have any questions related to keeping your servers and infrastructure safe, contact our IT experts today to find out more. We’re happy to suggest the best solution for your needs.

Click here to schedule a free 15-minute meeting with Stan Kats, our Founder and Chief Technologist.

STG IT Consulting Group proudly provides IT Service in Greater Los Angeles and the surrounding areas for all of your IT needs.

We look forward to meeting with you!

Logo

Leave a Reply

Your email address will not be published. Required fields are marked *

Receive a Free Copy of our Case Study

  • This field is for validation purposes and should be left unchanged.