RISKS
What happened
FishPig, a UK-based maker of e-commerce software used by as many as 200,000 websites, announced a security breach on September 13, 2022 stating, “An intrusion to the FishPig. co.uk extension license system was detected, causing a small piece of malicious PHP code to be injected pre-obfuscation into the Helper/License.php file. This file is included in most FishPig extensions, so it is best to assume that all paid FishPig Magento 2 modules have been infected.”
The company is urging it’s approximate 200,000 customers to immediately re-install or update all existing program extensions, in an abundance of caution, as the injected malware will install another piece of malware “Rekoobe”, a remote access trojan, to the vendor’s software to grant administrator level access on e-commerce websites, in what appears to be a supply-chain attack.
Sansec, the security firm that first detected the breach, states that, “Rekoobe uses a configuration file called /tmp/.varnish7684. After launching, it removes all malware files and remains in memory. It hides as a system process and mimics one of {12 different} system services. Meanwhile, it waits for commands from the C2 server located at 46.183.217.223.” No follow up attack has been detected but it is assumed that access to affected stores would be sold in bulk in hacking forums.
FishPig’s lead developer, Ben Tideswell, wrote in an email, “The exploit was placed right before the code was encrypted. By placing the malicious code here, it would be instantly obfuscated by our systems and hidden from anyone who looked. If any client then enquired about the obfuscated file, we would reassure them that the file was supposed to be obfuscated and was safe. The file was then undetectable by malware scanners.
This is a custom system that we developed. The attackers couldn’t have researched this online to find out about it. Once inside, they must have reviewed the code and made a decision about where to deploy their attack. They chose well.”
It is currently unknown if the exploit was via server or application, but FishPig has updated multiple defenses in their system to prevent an attack like this from happening again.
Why is this important?
Vulnerabilities and breaches can happen to your systems through no fault of your own – via the software you deploy. It’s important to stay informed regarding security breaches that impact your software applications and address patches promptly to avoid becoming impacted by the cyberattacks they generate.
What does this mean to me?
Malicious actors are leveraging gaps in digital defenses to compromise key functions and impair supply chain consistency. Gartner predicts that 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025. Consider implementation of a robust cyber supply chain risk management (SCRM) program that accounts for both existing applications and emerging IT. These security solutions can help minimize disruption and enhance overall security.
APPROACHES
Helpful Controls
- Supply Chain Risk Management (SCRM)
- Managed Detection and Response (MDR)
- Threat-Based Security Architecture Risk Analysis
- Application Architecture Security Review
Commonality of attack
High
Article on Story
Breach of software maker used to backdoor ecommerce servers