Fishpig, a UK-based maker of e-commerce software used by around 200,000 websites, is urging customers to reinstall or update all of the following existing program extensions. when discovering a security vulnerability of a distributed server that allows criminals to stealthily install a customer’s system.
Unknown threat actors used their control of FishPig’s systems to carry out a supply chain attack that infected customers’ systems Rekoobe, a complex backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated with secret commands that involve processing the startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat agent to issue commands remotely to the infected host.
Ben Tideswell, lead developer at FishPig, wrote in an email: “We are still investigating how attackers got into our systems and are currently unsure whether it is through a server exploit or an exploit. application”. “As for the attack itself, we’re pretty used to automated exploits of applications, and that’s probably how the attackers initially gained access to our systems. However, Once inside, they have to take a manual approach to choosing where and how to place the exploit.”
FishPig is a Magento-WordPress integration seller. Magento is an open source e-commerce platform used to develop online marketplaces.
Tideswell said the last software commit made to servers that did not contain malicious code was made on August 6, which is the earliest possible date for the breach. Sansec, the security company that discovered the breach and first reported itsays the intrusion began on or before August 19. Tideswell said FishPig has “emailed everyone who has downloaded anything from FishPig.co.uk in the past 12 weeks to warn them about it.” what happened.”
In one disclosure published after Sansec’s advice went live, FishPig said that the intruders used their access to inject malicious PHP code into the Helper/License.php file found in most extensions. by FishPig. Once launched, Rekoobe removes all malware files from disk and runs only in memory. For added stealth, it hides as a system process that tries to mimic one of the following:
dbus-daemon – system
After that, the backdoor will wait for the command from the server located at 46,183.217.2. Sansec said it has not detected further abuse from the server. The security company suspects that the threat actors may be planning to mass sell access to affected stores on hacking forums.
Tideswell declined to say how many software installations are active. This lesson says the software has received more than 200,000 downloads.
In the email, Tideswell added:
The exploit was placed just before the code was encrypted. By placing malicious code here, it will be immediately obfuscated by our system and hidden from anyone to see. If any customer subsequently inquires about the obfuscated file, we will assure them that the file is said to be scrambled and safe. Then the malware scanner could not detect the file.
This is a custom system that we have developed. Attackers can’t research this online to learn about it. Once inside, they had to review the code and make a decision about where to deploy their attack. They chose well.
All of this has now been cleaned up and many new defenses have been installed to prevent this from happening again. We are currently in the process of rebuilding our entire website and code deployment system, and the new systems we have in place (not yet live) are already defensive against attacks. like this.
Both Sansec and FishPig said customers should assume all modules or extensions are infected with viruses. FishPig recommends that users immediately upgrade all FishPig modules or reinstall them from source to ensure no infected code remains. Specific steps include:
Reinstall FishPig extension (Keep Version)
rm -rf vendor /fishpig && composer clear-cache && composer install –no-cache
FishPig . extension upgrade
vendor rm -rf / fishpig && composer clear-cache && composer update fishpig / * –no-cache
Delete Trojan file
Run the command below and then restart your server.
rm -rf /tmp/.varnish7684
Sansec advises customers to temporarily disable any paid Fishpig extensions, run a server-side malware scanner to detect any malicious software installed or operating illegally, and then restart the server to terminate any unauthorized background processes.