How To Detect And Fix CVE-2021–24867- Backdoor In AccessPress Themes And Plugins
JetPack, A well-known WordPress plugin developer, disclosed a backdoor in multiple AccessPress themes and plugins. As per the report, the backdoor CVE-2021–24867 is capable of providing full access to the victim site. It’s been found there are around 40 teams and 53 plugins are vulnerable to this supply chain attack. Let’s see how to detect and fix the CVE-2021–24867 backdoor found in these multiple AccessPress themes and plugins in this post.
AccessPress, a known themes and plugins creator for WordPress CMS platform. AccessPress was in the headlines for being a compromise in September 2021. It is said that since then, the attackers have been working on replacing backdoored themes and plugins on the AccessPress website. Researchers have found malicious code on 40 themes and 53 plugins on the AccessPress website so far.
On a note, users who installed the themes and plugins directly from the AccessPress website are vulnerable to this supply chain attack. Users who have downloaded the themes and plugins from the word press repository are not vulnerable. Please visit Jetpack and Sucuri posts for more technical details.
What Is Supply Chain Attack?
A supply chain attack is, commonly referred to as a value-chain of a third-party attack, occurs when an attacker accesses an organization’s networking by infiltrating a supplier or business partner that comes in contact with its data. Hackers generally tamper with the manufacturing process by installing hardware-based spying components or a rootkit. This attack aims to damage an organization’s reputation by targeting less secure elements in the supply chain network.
Supply chain attacks are designed to manipulate relationships between a company and external parties. These relationships may include vendor relationships, partnerships, or the use of third-party software. Cybercriminals compromise an organization and then move up the supply chain to take advantage of trusted relationships and gain access to other organizations’ environments.
List Of AccessPress Themes Affected
Here is the list of themes affected by this supply chain attack. Website owners should pay attention to this list and update their theme to the latest version when available or replace the files of the theme with clean files downloaded from the WordPress repository.
List Of AccessPress Plug-ing Affected
The below list has the list of affected plug-ins with affected version and clean version information. We recommend checking the version available on your WordPress site and updating the theme to a clean version. As a note, we would recommend downloading the plug-ins from official wordpress.org.
How To Detect And Fix CVE-2021–24867- Backdoor In AccessPress Themes And Plug-ins?
If you have been using any of the themes or plug-ins listed out in the above table, it is worth verifying that your site is compromised. There are some tips to validate that your site is backdoored.
- Check for “wp_is_mobile_fix” function in vars.php file. If you see some obfuscated code inside the function, then your site is backdoored.
- Jetpack has published a YARA rule to detect the backdoor. Download the Yara packages on your host server and run this YARA rule to detect the compromise. Please visit their site for more information.
- If you found that your site is compromised, follow these tips to fix CVE-2021–24867 the issue.
1 . Replace your core WordPress files with fresh copies.
2 . Replace the affected theme or plug-ins files with the fresh copy of files downloaded from the official WordPress repository.
3 . Reset all the admin, user, and database passwords.
4 . We can also suggest taking the Vendor or expert support to remove the infection.
YARA Rule To Detect CVE-2021–24867- Backdoor In AccessPress Themes And Plugins
// IoC's for the dropper
$inject0 = "$fc = str_replace('function wp_is_mobile()',"
$inject1 = "$b64($b) . 'function wp_is_mobile()',"
$inject2 = "$fc);"
$inject3 = "@file_put_contents($f, $fc);" // IoC's for the dumped payload
$payload0 = "function wp_is_mobile_fix()"
$payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"
$payload2 = "$g = $_COOKIE;"
$payload3 = "(count($g) == 8 && $is_wp_mobile) ?"
$url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/ condition: all of ( $inject* )
or all of ( $payload* )
We hope this post will help you know How to detect and fix CVE-2021–24867- Backdoor in AccessPress Themes and Plugins on your WordPress website. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Originally published at https://www.thesecmaster.com on January 25, 2022.