Breach of software maker used to backdoor as many as 200,000 servers

By | September 13, 2022
A cartoon man runs across a white field of ones and zeroes.

Fishpig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems.

The unknown threat actors used their control of FishPig’s systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by covert commands related to handling the startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely issue commands to the infected server.

“We are still investigating how the attacker accessed our systems and are not currently sure whether it was via a server exploit or an application exploit,” Ben Tideswell, the lead developer at FishPig, wrote in an email. “As for the attack itself, we are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system. Once inside though, they must have taken a manual approach to select where and how to place their exploit.”

FishPig is a seller of Magento-WordPress integrations. Magento is an open source e-commerce platform used for developing online marketplaces.

Tideswell said the last software commit made to its servers that didn’t include the malicious code was made on August 6, making that the earliest possible date the breach likely occurred. Sansec, the security firm that discovered the breach and first reported it, said the intrusion began on or before August 19. Tideswell said FishPig has already “sent emails to everyone who has downloaded anything from FishPig.co.uk in the last 12 weeks alerting them to what’s happened.”

In a disclosure published after the Sansec advisory went live, FishPig said that the intruders used their access to inject malicious PHP code into a Helper/License.php file that’s included in most FishPig extensions. After launching, Rekoobe removes all malware files from disk and runs solely in memory. For further stealth, it hides as a system process that tries to mimic one of the following:

/usr/sbin/cron -f
/sbin/udevd -d
crond
auditd
/usr/sbin/rsyslogd
/usr/sbin/atd
/usr/sbin/acpid
dbus-daemon –system
/sbin/init
/usr/sbin/chronyd
/usr/libexec/postfix/master
/usr/lib/packagekit/packagekitd

The backdoor then waits for commands from a server located at 46.183.217.2. Sansec said it hadn’t detected follow-up abuse from the server yet. The security firm suspects that the threat actors may plan to sell access to the affected stores in bulk on hacking forums.

Tideswell declined to say how many active installations of its software there are. This post indicates that the software has received more than 200,000 downloads.

In the email, Tideswell added:

The exploit was placed right before the code was encrypted. By placing the malicious code here, it would be instantly obfuscated by our systems and hidden from anyone who looked. If any client then enquired about the obfuscated file, we would reassure them that the file was supposed to be obfuscated and was safe. The file was then undetectable by malware scanners.

This is a custom system that we developed. The attackers couldn’t have researched this online to find out about it. Once inside, they must have reviewed the code and made a decision about where to deploy their attack. They chose well.

This has all been cleaned up now and multiple new defences have been installed to stop this from happening again. We are currently in the process of rebuilding our entire website and code deployment systems anyway and the new systems we already have in place (which aren’t live yet) already have defenses against attacks like this.

Both Sansec and FishPig said customers should assume that all modules or extensions are infected. FishPig recommends users immediately upgrade all FishPig modules or reinstall them from source to ensure none of the infected code remains. Specific steps include:

Reinstall FishPig Extensions (Keep Versions)

rm -rf vendor/fishpig && composer clear-cache && composer install –no-cache

Upgrade FishPig Extensions

rm -rf vendor/fishpig && composer clear-cache && composer update fishpig/* –no-cache

Remove Trojan File

Run the command below and then restart your server.

rm -rf /tmp/.varnish7684

Sansec advised customers to temporarily disable any paid Fishpig extensions, run a server-side malware scanner to detect any installed malware or unauthorized activity, and then restart the server to terminate any unauthorized background processes.

Source