A newly discovered supply chain attack is believed to have put over 300,000 WordPress sites at risk of attack.
Cybersecurity researchers from Jetpack (a security and optimization tool for WordPress) discovered that a malicious actor had compromised AccessPress, a developer of themes and add-ons for the website builder.
AccessPress has so far built 40 themes and 53 plugins. All freeware has been compromised, so once installed it allows attackers full control of the website. The researchers did not test the commercials and cannot confirm whether they were also compromised. The report also states that malicious code that grants access to attackers covers its tracks with relative success. The only way to find out whether or not a site has been compromised is to use a basic file integrity monitoring solution, it has been said.
Sell vulnerability online
So far, researchers have discovered that the backdoor is used to redirect visitors to malware and scam drop sites. Given the complexity of the initial compromise and the lack of sophistication of the second stage, researchers are inclined to believe that the original malicious actors most likely sold access to third parties on the dark web.
BeepComputer says 360,000 websites use AccessPress add-ons and themes. JetPack first discovered the threat in September 2021, while AccessPress removed them from the store on October 15. After a few months of resolving the issue, the developers released a clean new build of all affected plugins on January 17.
However, if the site has already been compromised, simply installing the latest version will not remove the backdoor. It will simply prevent future threats. So far, according to BleepingComputer, the only way to clean up the site is to migrate to a different theme.
To find out if your site has been compromised, WordPress users can follow the instructions found here.
Going through: BeepComputer