FishPig supply chain attack creates backdoor in WordPress site • The Register

shutterstock trojan malware


It’s only been a week or so, but there are at least three critical holes in WordPress plugins and tools that are currently being exploited to compromise many websites.

Start with FishPig, a UK-based software maker that integrates Adobe’s Magento e-commerce suite into WordPress-powered websites. FishPig’s distribution system was compromised and their product modified, resulting in a semi-automatic download of the code installation and execution of the Rekoobe Linux Trojan.

Infosec’s organization, Sansec, issued a warning earlier this week that FishPig’s software was behaving strangely. When he logged in and a Magento staff user accessed the deployment’s control panel, the code automatically fetched a Linux binary from his FishPig backend system and executed it, resulting in a Linux binary execution. Be a record. This will open a backdoor allowing the malicious person to remotely control the box.

Fraudsters can then snoop on customers and modify or steal data.

According to FishPig’s disclosure, the company’s product was modified on August 6th to remove the offending code. It is said that the paid version was mainly affected. The free version of his FishPig module available on GitHub was probably clean.

If you are using FishPig commercial software, you should reinstall the tool and check for signs of compromise.

According to FishPig, “It’s best to assume that all paid FishPig Magento 2 modules are infected.” In total, the company’s free Magento package has been downloaded more than 200,000 times, according to Sansec, although the exact number of customers caught in the supply chain attack is unknown. While this indicates interest in FishPig’s tools, it does not necessarily mean that there will be an equal number of paying users.

We don’t know exactly how the attackers got into FishPig’s backend servers, but the results were clear. Code was added to his License.php file on FishPig’s system to fetch and execute the product when it was used. This PHP file was modified to download and execute a malicious binary also hosted on FishPig’s platform. In other words, when a staff user accesses the control panel of a FishPig deployment, her remotely hosted modified License.php is fetched and executed, and her Rekoobe automatically runs on the user’s web server. will be

License.php is typically checked to ensure the deployment is properly paid for and licensed. Therefore, it is referenced regularly.

Once Rekoobe infects a host, it deletes its files and hides itself in memory as a process waiting for commands from a single IP address geographically located in Latvia. Sansec said it expects the mastermind behind this attack to sell access to servers compromised by this supply chain attack.

Rekoobe has been around the internet in various forms since its discovery in 2015. According to Intezer’s analysis, his Rekoobe variant used in this attack appears to have been created before 2018.

According to Intezer, newer versions of Rekoobe expose hardcoded C2 server addresses and attempt to rename processes of their own, as is the case with this FishPig instance.

Ecommerce businesses running FishPig plugins or integrations (free or paid) must follow the detection and mitigation measures prescribed by the company. FishPig said that affected customers should take advantage of “a free cleanup service for those who are concerned that this is affecting their site and need help resolving it.” says it can also.

But wait, there’s more

In addition to this, Wordfence reported this month that a WordPress plugin called BackupBuddy, which has an estimated 140,000 installations, is under active attack. This software has a vulnerability fixed in version 8.7.5 that can be exploited to download files containing sensitive information from vulnerable installations.

Wordfence also revealed this week that a zero-day security hole in a plugin called WPGateway is being exploited to add malicious administrator accounts to vulnerable websites. I’m not aware that a patch for that is still available. ®


Source link

What do you think?

Leave a Reply

GIPHY App Key not set. Please check settings

    ux seo 631a0e6b8d12b sej

    Combined approach to improve online discoverability and user experience

    banner 1

    CSS Corp Strengthens Operations in Costa Rica with Over 300 Staff