Massive WordPress site file integrity fail

ConcernedCitizen · 01-27-2022, 01:26 AM

Okay, it looks as if a critical file integrity fail - WordPress exploit - is being exploited in the wild.

Quote:A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites.

In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.

The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to the themes and plugins.

Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites.

PHP lets you call a function by putting brackets after a string dereference. Attackers used it to gain remote access via a snippet of backdoored code in the functions.php file on the sites. They did this by altering code from the AccessPress website that serves WP modules - and they did just that. It exposed 20,000 sites to the malware.

It's not one-of-a-kind, however. It simply utilizes a similar technique to other webshells, by exploiting the string dereference to call a function embedded (and probably encoded) to the site, offering a remote shell or other persistence. This has been known as a bug in SEO plugins for a long time and WordPress would do well to shield further users from this as soon as possible.

Dismas · 01-28-2022, 06:13 AM

100% being exploited currently. Due to Wordpress being semi-relevant to my work, I've seen the results firsthand.

Boudica · 01-28-2022, 07:32 AM

This is concerning for those that use it. It's nice that the article gives people suggestions on how to see if their site has been affected:

Code:
If you have installed one of the compromised plugins or themes on your site, removing/replacing/updating them won’t uproot any webshells that may have been planted through it.

As such, website administrators are advised to scan their sites for signs of compromise by doing the following:

Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised.

Query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files

Replace your core WordPress files with fresh copies.

Upgrade the affected plugins and switch to a different theme.

Change the wp-admin and database passwords.

Jetpack has provided the following YARA rule that can be used to check if a site has been infected and detect both the dropper and the installed webshell.

rule accesspress_backdoor_infection

{

strings:

   // IoC's for the dropper

   $inject0 = "$fc = str_replace('function wp_is_mobile()',"

   $inject1 = "$b64($b) . 'function wp_is_mobile()',"

   $inject2 = "$fc);"

   $inject3 = "@file_put_contents($f, $fc);"

   // IoC's for the dumped payload

   $payload0 = "function wp_is_mobile_fix()"

   $payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"

   $payload2 = "$g = $_COOKIE;"

   $payload3 = "(count($g) == 8 && $is_wp_mobile) ?"

   $url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/

condition:

   all of ( $inject* )

   or all of ( $payload* )

   or $url0

}

ConcernedCitizen · 01-28-2022, 07:56 AM

(01-28-2022, 06:13 AM)Dismas Wrote: 100% being exploited currently. Due to Wordpress being semi-relevant to my work, I've seen the results firsthand.

This is unfortunate. At least it wasn't public before they were working on a patch - well, not very long anyway. The IoC's make it easy to determine whether you're infected, so that's helpful. Other webshells completely reverse the code that was changed, allowing to essentially hide further to allow more persistence.