Hacking

Tens of AccessPress WordPress themes compromised as part of a supply chain attack

Threat actors planted a backdoor into multiple WordPress themes and plugins after compromising the website of their developer.

In a classic supply chain attack, threat actors planted a backdoor in dozens of WordPress plugins and themes hosted on a developer’s website. The attack took place in the first half of September 2021, the attackers compromised 40 themes and 53 plugins belonging to AccessPress Themes. The issue has been tracked as CVE-2021-24867.

The security researchers from JetPack discovered the attack while investigating a compromised site using a theme by AccessPress Themes. On further investigation, the experts discovered that all the themes and most plugins from the company available on their own website were backdoored. The same components available on the WordPress.org directory appeared clean.

“The infected extensions contained a dropper for a webshell that gives the attackers full access to the infected sites. The dropper is located in the file inital.php located in the main plugin or theme directory. When run it installs a cookie based webshell in wp-includes/vars.php. The shell is installed as a function just in front of the wp_is_mobile() function with the name of wp_is_mobile_fix(). This is presumably to not arouse suspicion to anybody casually scrolling through the vars.php file.” reads the advisory published by JetPack.

The researchers also spotted another variant of the backdoor directly embedded in the theme/plugin’s functions.php file. This variant is likely an older version of the malware an uses the same mechanism with piecing together the payload from eight cookies.

Below is the list of themes and versions compromised by the attack. AccessPress Themes has yet to provide updates for any of these components and they have been removed from the WordPress.org repository.

Theme slugVersion
accessbuddy1.0.0
accesspress-basic3.2.1
accesspress-lite2.92
accesspress-mag2.6.5
accesspress-parallax4.5
accesspress-ray1.19.5
accesspress-root2.5
accesspress-staple1.9.1
accesspress-store2.4.9
agency-lite1.1.6
aplite1.0.6
bingle1.0.4
bloger1.2.6
construction-lite1.2.5
doko1.0.27
enlighten1.3.5
fashstore1.2.1
fotography2.4.0
gaga-corp1.0.8
gaga-lite1.4.2
one-paze2.2.8
parallax-blog3.1.1574941215
parallaxsome1.3.6
punte1.1.2
revolve1.3.1
ripple1.2.0
scrollme2.1.0
sportsmag1.2.1
storevilla1.4.1
swing-lite1.1.9
the-launcher1.3.2
the-monday1.4.1
uncode-lite1.3.1
unicon-lite1.2.6
vmag1.2.7
vmagazine-lite1.3.5
vmagazine-news1.0.5
zigcy-baby1.0.6
zigcy-cosmetics1.0.5
zigcy-lite2.0.9

Researchers from security firm Sucuri published a separate analysis the revealed that some of the infected websites had spam payloads dating back almost three years. This circumstance suggests that threat actors behind the campaign were likely selling access to the websites to other cyber cybercrime groups.

“we found quite a few compromised sites that lined up with the same timeline for this hack. Some of the infected websites we found utilising this backdoor had old recycled spam payloads that we have seen on other websites as far back as three years.” states Sucuri. “If I had to guess, whoever was behind the initial compromise of AccessPress were likely selling access to backdoored websites on the black market to spammers who recycled the same old malware that they always use on websites.”

In order to check if a website has been affected by this attack, administrators can perform the following actions recommended by Sucuri experts:

  1. Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised
  2. You can also query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress themes)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

17 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.