How To Detect And Fix CVE-2021-24867- Backdoor In AccessPress Themes And Plugins

JetPack, A well-known WordPress plugin developer, disclosed a backdoor in multiple AccessPress themes and plugins. As per the report, the backdoor CVE-2021–24867 is capable of providing full access to the victim site. It’s been found there are around 40 teams and 53 plugins are vulnerable to this supply chain attack. Let’s see how to detect and fix the CVE-2021-24867 backdoor found in these multiple AccessPress themes and plugins in this post.

AccessPress, a known themes and plugins creator for WordPress CMS platform. AccessPress was in the headlines for being a compromise in September 2021. It is said that since then, the attackers have been working on replacing backdoored themes and plugins on the AccessPress website. Researchers have found malicious code on 40 themes and 53 plugins on the AccessPress website so far.

On a note, users who installed the themes and plugins directly from the AccessPress website are vulnerable to this supply chain attack. Users who have downloaded the themes and plugins from the word press repository are not vulnerable. Please visit Jetpack and Sucuri posts for more technical details.

What Is Supply Chain Attack?

A supply chain attack is, commonly referred to as a value-chain of a third-party attack, occurs when an attacker accesses an organization’s networking by infiltrating a supplier or business partner that comes in contact with its data. Hackers generally tamper with the manufacturing process by installing hardware-based spying components or a rootkit. This attack aims to damage an organization’s reputation by targeting less secure elements in the supply chain network. 

Supply chain attacks are designed to manipulate relationships between a company and external parties. These relationships may include vendor relationships, partnerships, or the use of third-party software. Cybercriminals compromise an organization and then move up the supply chain to take advantage of trusted relationships and gain access to other organizations’ environments.

List Of AccessPress Themes Affected

Here is the list of themes affected by this supply chain attack. Website owners should pay attention to this list and update their theme to the latest version when available or replace the files of the theme with clean files downloaded from the WordPress repository.

List Of AccessPress Plug-ing Affected

The below list has the list of affected plug-ins with affected version and clean version information. We recommend checking the version available on your WordPress site and updating the theme to a clean version. As a note, we would recommend downloading the plug-ins from official wordpress.org.

How To Detect And Fix CVE-2021-24867- Backdoor In AccessPress Themes And Plug-ins?

If you have been using any of the themes or plug-ins listed out in the above table, it is worth verifying that your site is compromised. There are some tips to validate that your site is backdoored.

YARA Rule To Detect CVE-2021-24867- Backdoor In AccessPress Themes And Plugins

rule accesspress_backdoor_infection
{
strings:
 
   // IoC's for the dropper
   $inject0 = "$fc = str_replace('function wp_is_mobile()',"
   $inject1 = "$b64($b) . 'function wp_is_mobile()',"
   $inject2 = "$fc);"
   $inject3 = "@file_put_contents($f, $fc);"
 
   // IoC's for the dumped payload
   $payload0 = "function wp_is_mobile_fix()"
   $payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"
   $payload2 = "$g = $_COOKIE;"
   $payload3 = "(count($g) == 8 && $is_wp_mobile) ?"
 
   $url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/
 
condition:
 
   all of ( $inject* )
   or all of ( $payload* )
   or $url0
}

We hope this post would help you know How to detect and fix CVE-2021-24867- Backdoor in AccessPress Themes and Plugins on your WordPress website. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.