According to security researchers at Automattic, the popular WordPress theme AccessPress was compromised, and its code was replaced with a backdoored version.
The issue reportedly happened in September of last year. The affected users were unknowingly giving attackers access to their websites.
Although the issue didn’t affect the official WordPress repository, it prompted the removal of the affected software from the platform until a code review could be conducted.
In a supply-chain attack, instead of just taking advantage of the vulnerable components of the software, attackers can also compromise the source from where it’s downloaded and installed. This method can lead to the exploitation of any website or network administrator who downloads and uses the same software later on.
In the infamous 2020 SolarWinds attack, thousands of US government agencies and corporations were breached through such kind of attack. Once the compromised SolarWinds source code was installed, any app or website that installed the compromised version exposed sensitive information to the hackers.
In the case of AccessPress, after accessing the site, the attackers were able to install PHP backdoors on some of the software components that were provided by developers for free. As a result, some 40 themes and 53 plugins had been affected.
The attackers first created a new file called initial.php, which was added to the theme’s directory:
“The backdoor was quite simple, but provided the attackers with full control over the victim’s websites. The first step they took was adding a new file initial.php into the main theme directory and including it in the main functions.php file. The initial.php file includes a base64 encoded payload which writes a backdoor webshell into the ./wp-includes/vars.php file,” Automattic explained.
The purpose of this is to give the attackers complete control over the website. Aside from having full access to the site, the malware also launches a self-destruct function that deletes the initial.php dropper file to prevent the system from detecting it.
Researchers stress it is very important that websites use core file integrity monitoring to prevent exploitation: “However, if a victim website uses a security plugin that utilises core file integrity monitoring, changes to the core file vars.php should indicate it was modified. So, this is a great example of why core file integrity monitoring is so crucial for website security.”
According to Automattic, the attackers had plenty of opportunities to drop additional malware. Instead, they used these opportunities to spread spam and redirect users to other spam sites.
The actors who compromised AccessPress likely have been selling access to backdoored websites on the black market to spammers.
After going through the websites affected by this issue, Automattic discovered that many of them had spam payloads that were launched several years ago.