Breach of software maker used to hijack up to 200,000 servers
Breach of software maker used to hijack up to 200,000 servers
Zoom
Getty Images
Fishpig, a UK maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security flaw from its distribution server which allowed criminals to surreptitiously access customer systems.
Unknown hackers used their control of FishPig's systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by secret commands related to handling an attacker's startTLS command on the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely send commands to the infected server.
“We are still investigating how the attacker gained access to our systems and do not currently know if this was a server exploit or an application exploit,” wrote Ben Tideswell , the lead developer of FishPig, in an email. "As for the attack itself, we're quite used to seeing automated application exploits and this may be how attackers initially gained access to our system. Once inside, they had to take a manual approach to selecting where and how to place their exploit."
FishPig is a vendor of Magento-WordPress integrations. Magento is an open source e-commerce platform used to develop online marketplaces.
Tideswell said the last software validation performed on its servers that did not include the malicious code was performed on August 6, making it the earliest possible date the breach likely occurred. Sansec, the security firm that discovered the flaw and first reported it, said the intrusion began on or before August 19. to what happened."
In a disclosure published after the Sansec advisory went live, FishPig said the intruders used their access to inject malicious PHP code into a Helper/License.php file included in most FishPig extensions. After launch, Rekoobe removes all malicious files from disk and runs only in memory. For stealth, it hides as a system process that attempts to impersonate one of the following:
The backdoor then waits for commands from a server located at 46.183.217.2. Sansec said it has yet to detect any tracking abuse from the server. The security firm suspects that threat actors plan to mass-sell access to affected stores on hacking forums.
Tideswell declined to say how many active installations of its software there are. This message indicates that the software has received more than 200,000 downloads.
In the email, Tideswell added:
The exploit was placed just before the code was encrypted. By placing malicious code here, it would be instantly obfuscated by our systems and hidden from anyone looking at it. If a customer then inquired about the obfuscated file, we would reassure them that the file was meant to be obfuscated and was safe. The file was then undetectable by malware scanners.
This is a custom system that we developed. The attackers could not have searched online for more. Once inside, they should have reviewed the code and made a decision on where to deploy their attack. They chose well.
Everything has been cleaned up now and several new defenses have been installed to prevent this from happening again. Either way, we are currently rebuilding our entire website and code deployment systems, and the new systems we already have in place (which are not yet operational) already have defenses against attacks of this type.
Sansec and FishPig said customers should assume...
Fishpig, a UK maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security flaw from its distribution server which allowed criminals to surreptitiously access customer systems.
Unknown hackers used their control of FishPig's systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by secret commands related to handling an attacker's startTLS command on the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely send commands to the infected server.
“We are still investigating how the attacker gained access to our systems and do not currently know if this was a server exploit or an application exploit,” wrote Ben Tideswell , the lead developer of FishPig, in an email. "As for the attack itself, we're quite used to seeing automated application exploits and this may be how attackers initially gained access to our system. Once inside, they had to take a manual approach to selecting where and how to place their exploit."
FishPig is a vendor of Magento-WordPress integrations. Magento is an open source e-commerce platform used to develop online marketplaces.
Tideswell said the last software validation performed on its servers that did not include the malicious code was performed on August 6, making it the earliest possible date the breach likely occurred. Sansec, the security firm that discovered the flaw and first reported it, said the intrusion began on or before August 19. to what happened."
In a disclosure published after the Sansec advisory went live, FishPig said the intruders used their access to inject malicious PHP code into a Helper/License.php file included in most FishPig extensions. After launch, Rekoobe removes all malicious files from disk and runs only in memory. For stealth, it hides as a system process that attempts to impersonate one of the following:
The backdoor then waits for commands from a server located at 46.183.217.2. Sansec said it has yet to detect any tracking abuse from the server. The security firm suspects that threat actors plan to mass-sell access to affected stores on hacking forums.
Tideswell declined to say how many active installations of its software there are. This message indicates that the software has received more than 200,000 downloads.
In the email, Tideswell added:
The exploit was placed just before the code was encrypted. By placing malicious code here, it would be instantly obfuscated by our systems and hidden from anyone looking at it. If a customer then inquired about the obfuscated file, we would reassure them that the file was meant to be obfuscated and was safe. The file was then undetectable by malware scanners.
This is a custom system that we developed. The attackers could not have searched online for more. Once inside, they should have reviewed the code and made a decision on where to deploy their attack. They chose well.
Everything has been cleaned up now and several new defenses have been installed to prevent this from happening again. Either way, we are currently rebuilding our entire website and code deployment systems, and the new systems we already have in place (which are not yet operational) already have defenses against attacks of this type.
Sansec and FishPig said customers should assume...
Zoom
Getty Images
