SUPPLY CHAIN ATTACKS
Hack of FishPig distribution server used to set up Rekoobe on customer systems.
FishPig, a UK-based maker of e-commerce software utilized by as much as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems.
The unknown threat actors used their control of FishPig’s systems to handle a supply chain attack that infected customer systems using FishPig’s fee-based Magento 2 modules with Rekoobe, a complicated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and may be activated by covert commands linked to handling the startTLS command from an attacker on the internet. Once activated, Rekoobe offers a reverse shell which allows the threat actor to remotely issue commands to the infected server.
“We have been still investigating the way the attacker accessed our systems and so are not currently sure whether it had been with a server exploit or a credit card applicatoin exploit,” Ben Tideswell, the lead developer at FishPig, wrote within an email. “Are you aware that attack itself, we have been quite used to seeing automated exploits of applications as well as perhaps that is the way the attackers initially gained usage of our bodies. Once inside though, they need to took a manual method of select where and how exactly to place their exploit.”
FishPig is really a seller of Magento-WordPress integrations. Magento can be an open source e-commerce platform useful for developing online marketplaces. The supply-chain attack only affects paid Magento 2 modules.
Tideswell said the final software commit designed to its servers that didn’t are the malicious code was made on August 6, making that the initial possible date the breach likely occurred. Sansec, the security firm that discovered the breach and first reported it, said the intrusion began on or before August 19. Tideswell said FishPig has recently “sent emails to everyone who has downloaded anything from FishPig.co.uk within the last 12 weeks alerting them to what’s happened.”
In a disclosure published following the Sansec advisory went live, FishPig said that the intruders used their usage of inject malicious PHP code right into a Helper/License.php file that’s contained in most FishPig extensions. After launching, Rekoobe removes all malware files from disk and runs solely in memory. For further stealth, it hides as something process that tries to mimic among the following:
The backdoor then waits for commands from the server located at 22.214.171.124. Sansec said it hadn’t detected follow-up abuse from the server yet. The security firm suspects that the threat actors may intend to sell usage of the affected stores in bulk on hacking forums.
Tideswell declined to state just how many active installations of its paid software you can find. This post indicates that the program has received a lot more than 200,000 downloads, however the amount of paid customers is smaller.
In the e-mail, Tideswell added:
The exploit was placed before the code was encrypted. By placing the malicious code here, it will be instantly obfuscated by our systems and hidden from anyone who looked. If any client then enquired concerning the obfuscated file, we’d reassure them that the file was said to be obfuscated and was safe. The file was then undetectable by malware scanners.
It is a custom system that people developed. The attackers couldn’t have researched this online to discover more regarding it. Once inside, they need to have reviewed the code and determined about where you can deploy their attack. They chose well.
It has all been cleaned up now and multiple new defences have already been installed to avoid this from happening again. We have been currently along the way of rebuilding our entire website and code deployment systems anyway and the brand new systems we curently have set up (which aren’t live yet) curently have defenses against attacks such as this.
Both Sansec and FishPig said customers should assume that modules or extensions are infected. FishPig recommends users immediately upgrade all FishPig modules or reinstall them from source to make sure none of the infected code remains. Specific steps include:
Reinstall FishPig Extensions (Keep Versions)
rm -rf vendor/fishpig && composer clear-cache && composer install –no-cache
Upgrade FishPig Extensions
rm -rf vendor/fishpig && composer clear-cache && composer update fishpig/–no-cache
Remove Trojan File
Run the command below and restart your server.
rm -rf /tmp/.varnish7684
Sansec advised customers to temporarily disable any paid FishPig extensions, run a server-side malware scanner to detect any installed malware or unauthorized activity, and restart the server to terminate any unauthorized background processes.
The headline of the post has been changed.