Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security

Supply Chain Attack Used Legitimate WordPress Add-Ons To Backdoor Sites (arstechnica.com) 16

An anonymous reader quotes a report from Ars Technica: Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on "quite a few" sites running the open source content management system. The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean. "Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites," Ben Martin, a researcher with Web security firm Sucuri, wrote in a separate analysis of the backdoor.

The Jetpack post said evidence indicates that the supply chain attack on AccessPress Themes was performed in September. Martin, however, said evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess is that the people behind the backdoor were selling access to infected sites to people pushing web spam and malware. He wrote, "[...] it seems that the malware that we've found associated with this backdoor is more of the same: spam, and redirects to malware and scam sites." The Jetpack post provides full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company's offerings should carefully inspect their systems to ensure they're not running a backdoored instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.

This discussion has been archived. No new comments can be posted.

Supply Chain Attack Used Legitimate WordPress Add-Ons To Backdoor Sites

Comments Filter:
  • by Anonymouse Cowtard ( 6211666 ) on Saturday January 22, 2022 @12:24AM (#62196447) Homepage
    Yeah, well.
  • Getting your bling from whizzydownloads.com isn't what I'd call supply chain.

  • Website firewall (Score:5, Insightful)

    by xalqor ( 6762950 ) on Saturday January 22, 2022 @12:57AM (#62196477)

    Blocking outbound access is one of those things that sounds good, but when you give it to a typical WordPress "admin" they'll get so frustrated with all the plugins that break, they'll just turn off the firewall.

    Although it's not rocket science, people generally don't have the time or expertise to figure out which outbound requests they should allow. You can't really trust plugins to tell you, because that defeats the purpose of an external control, so you're back to curated plugins from a directory that you trust.

    As stated in the summary, the ones on the WordPress plugin directory didn't have the backdoor. The WordPress team reviews them, so probably the attackers didn't want to get caught too early.

    So beside a website firewall, some good advice for people who use WordPress might be to only get plugins from the directory, and backup their site.

    • Other ideas:

      - Look at a plugin's security track record before agreeing to install it
      - Look at whether the plugin actually offers something of value other than a slight shortcut to accomplish something users can actually still do without that plugin
      - Require use of a VPN to access the Wordpress admin panel
      - Disable XML-RPC (which, somewhat ironically, now requires a plugin - or at least a firewall rule addition)
      - Don't allow automatic account creation if you can help it

      • How about, Don't Use Wordpress(if you have the skill set, otherwise you do what you need to do). I took a look at Wordpress back in the day and created and administrated client sites for a few years. Both remote hosted and locally hosted. In the end I moved on, just because Wordpress was such a potential target and the whole plugin for features seemed so semi stable for my tastes.
        • How about, Don't Use Wordpress(if you have the skill set, otherwise you do what you need to do).

          You seem to think that every website is being managed by a single dedicated individual or perhaps by a well trained group of technical people. In smaller organizations that's rarely the case anymore, from what I've seen. In my world, at least, the day-to-day web content is now handled by people who think HTML is a clump of four random capital letters, the list of things the dwindling number of computing staff have to cover is getting longer and longer, and certain choices are being made for financial reason

      • Wordpress' meteoric success means that its also a valuable target. It also means there's a lot of companies that depend on WordPress that have a vested interest in keeping it as secure as possible. Let's hope at least enough of them understand this & fund & lobby appropriately. I have a personal WordPress blog, very niche & uninteresting to most, & I use pretty much the default everything. My visitors aren't interested in website features, they just want to read/watch the content. Anything e
    • Blocking outbound access is one of those things that sounds good, but when you give it to a typical WordPress "admin" they'll get so frustrated with all the plugins that break, they'll just turn off the firewall.

      Yes, at a minimum, everyone should restrict outbound connections from anything exposed to the Internet. This is like using condoms, don't make it an option.

      A "website firewall" most likely refers to a WAF, Web Application Firewall, which filters _incoming_ HTTP requests for known attacks. They have a complex bundle of rules that you update periodically, sort of like antivirus software. ModSecurity is a free one that uses Apache.

      Stopping some new attacks might depend on updated WAF rules, but they also ma

  • Vulnerabilities are discovered months or years after they have been implemented when they become common knowledge among crackers and are used by semi pro's.
  • The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes.

    I only use 92 so I'm safe!

Doubt is not a pleasant condition, but certainty is absurd. - Voltaire

Working...