Through a massive supply chain attack, hackers successfully compromised 93 WordPress themes and plugins with a backdoor, giving them full access to the site. In total, the hackers compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress plugins used on more than 360,000 active websites.
The attack was first discovered by researchers at Jetpack, the company behind the WordPress website security and optimization tool, who discovered that a PHP backdoor had been added to themes and plugins. Jetpack believes that an external threat actor compromised the AccessPress site, compromised the software and infected more WordPress sites.
Once an administrator has installed the compromised AccessPress product on their website, the actor adds a new “initial.php” file to the main theme directory and incorporates it into the main “function.php” file. This file contains a base64 encoded payload that writes the web shell to the “./wp-includes/vars.PHP” file.
The malicious code completes the installation of the backdoor by decoding the payload and injecting it into the “vars.php” file, essentially giving the threat actor remote control over the infected website. The only way to detect this threat is to use a core file integrity monitoring solution, as the malware removes the dropper of the “initial.php” file to cover its tracks.