WordPress Supply Chain Attack—93 Add-Ons Infected for Months
A popular maker of WordPress plugins and themes was hacked by scrotes unknown. It seems 93 of AccessPress’s offerings were modified to give the hackers “full access” to users’ sites.
This supply-chain hack happened in September, but we’re only hearing about it now? Part of the delay seems to have been due to the AccessPress team (pictured) ignoring security researchers’ attempts to contact it.
Be careful out there, website owners. In today’s SB Blogwatch, we check for IoCs.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A most useful clock app.
AccessPress Accessed by Hackers
What’s the craic? Bill Toulas reports—“WordPress themes, plugins backdoored in supply chain attack”:
“Compromised in early September”
A massive supply chain attack compromised 93 WordPress themes and plugins … belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites. … As soon as admins installed a compromised AccessPress product on their site [it gave] threat-actors full access.
…
It’s also possible that the actor used this malware to sell access to backdoored websites on the dark web, which would be an effective way to monetize such a large-scale infection.
…
Most of the products had likely been compromised in early September. … On October 15, 2021, the vendor removed the extensions from the official download portal. … On January 17, 2022, AccessPress released new, “cleaned” versions. … However, the affected themes haven’t been cleaned yet.
And Dan Goodin adds in—“Supply chain attack used legitimate WordPress add-ons”:
“Would have prevented the backdoor”
Anyone running a WordPress site with [AccessPress]’s offerings should carefully inspect their systems to ensure they’re not running a backdoored instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.
…
Attempts to contact AccessPress … for comment were unsuccessful.
Horse’s mouth? Harald Eilertsen—“Backdoor Found”:
“Reinstall a clean version of WordPress”
We discovered some suspicious code in a theme by AccessPress Themes (aka Access Keys), a vendor with a large number of popular themes and plugins. … We suspected an external attacker had breached the website of AccessPress.
…
The infected extensions contained a dropper for a webshell that gives the attackers full access to the infected site. … We contacted the vendor immediately, but at first we did not receive a response.
…
If you have any themes or plugins installed directly from AccessPress Themes or any other place except WordPress.org, you should upgrade immediately to a safe version [or to] the latest version from WordPress.org. … In addition you need to reinstall a clean version of WordPress to revert the core file modifications done during installation of the backdoor.
WordPress considered harmful? babbledabbler swims upstream:
“Hack roulette”
I recently had to take over a WordPress site for a volunteer project and it almost immediately got hacked with spam despite taking great pains to not have this happen. Thousands of SEO pages showed up in the DB after installing some well known marketplace plugins.
…
I would never work on WordPress again and I dissuade people from using it when I hear that they are considering it. … Times have changed and it’s just not a secure platform. Any benefit given by all the plugins is outweighed by “hack roulette” you are playing.
…
There are now many other solutions out there that will be more secure and fit the need for most people.
What’s this about a firewall? To explain, ToasterMonkey pops up: [You’re fired—Ed.]
“Make whole classes of attacks really hard”
Everyone should restrict outbound connections from anything exposed to the Internet. This is like using condoms.
…
A “website firewall” most likely refers to a WAF—Web Application Firewall—which filters incoming HTTP requests for known attacks. They have a complex bundle of rules that you update periodically, sort of like antivirus software. ModSecurity is a free one.
…
Stopping some new attacks might depend on updated WAF rules, but they also make whole classes of attacks really hard. They’re a very good idea for securing something like WordPress, but the administrative burden can be annoying.
But the_frakker blames the victims:
“People who aren’t skilled”
This happens all too often with WordPress plugins. While it can be a great CMS for people who can’t or don’t want to build and run their own site, it also means it gets used by people who aren’t skilled at knowing what the risk is for a plug-in, how to assess it, how to recover from incidents, or how to proactively avoid high-risk plugins in the first place.
How are site owners supposed to know if they’re infected? Tell me a story, christoph:
“See what other people see”
A local … shop runs their online store off a WordPress set up. … Sometimes when I visited to look at their current stock, when clicking into something of interest I would get bombarded with all sorts of random adware ****, new tabs etc. opening with blogspam—typical “Win an iPad” type stuff.
The owner was totally unaware, as this never happens to them. They are logged into the site the whole time, so it deliberately never triggers/fires itself as they make updates, etc.
…
Moral of the story: Always occasionally browse your own web properties from other devices and incognito windows etc., to see what other people see.
And 93 Escort Wagon drives the point home:
Other ideas:
- Look at a plugin’s security track record before agreeing to install it
- Look at whether the plugin actually offers something of value other than a slight shortcut to accomplish something users can actually still do without that plugin
- Require use of a VPN to access the WordPress admin panel
- Disable XML-RPC (which, somewhat ironically, now requires a plugin – or at least a firewall rule addition)
- Don’t allow automatic account creation if you can help it.
Meanwhile, void& sounds slightly sarcastic:
It’s simple. Just read the PHP source before installing it.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: AccessPress Themes
