Fishpig, a UK maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security flaw in its distribution server that has allowed criminals to surreptitiously hijack client systems.
Unknown threat actors used their control of FishPig’s systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by secret commands related to handling an attacker’s startTLS command on the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely send commands to the infected server.
“We are still investigating how the attacker gained access to our systems and do not currently know if this was a server exploit or an application exploit,” wrote developer Ben Tideswell. principal of FishPig, in an email. “As for the attack itself, we’re quite used to seeing automated application exploits and this may be how attackers initially gained access to our system. Once inside, they had to take a manual approach to selecting where and how to place their exploit.”
FishPig is a Magento-WordPress integration vendor. Magento is an open source e-commerce platform used to develop online marketplaces.
Tideswell said the last software validation performed on its servers that did not include the malicious code was performed on August 6, making it the earliest possible date the breach likely occurred. Sansec, the security company that discovered the breach and first reported itsaid the intrusion began on or before August 19. Tideswell said FishPig had already “sent emails to everyone who had downloaded anything from FishPig.co.uk in the last 12 weeks alerting them to what had happened”.
In a disclosure published after the Sansec notice went live, FishPig said the intruders used their access to inject malicious PHP code into a Helper/License.php file included in most FishPig extensions. After launch, Rekoobe removes all malicious files from disk and runs only in memory. For stealth, it hides as a system process that attempts to impersonate one of the following:
The backdoor then waits for commands from a server located at 22.214.171.124. Sansec said it has yet to detect any tracking abuse from the server. The security firm suspects that threat actors plan to mass-sell access to affected stores on hacking forums.
Tideswell declined to say how many active installations of its software there are. This post indicates that the software has received more than 200,000 downloads.
In the email, Tideswell added:
The exploit was placed just before the code was encrypted. By placing malicious code here, it would be instantly obfuscated by our systems and hidden from anyone looking at it. If a customer then inquired about the obfuscated file, we would reassure them that the file was meant to be obfuscated and was safe. The file was then undetectable by malware scanners.
This is a custom system that we developed. The attackers could not have searched online for more. Once inside, they should have reviewed the code and made a decision on where to deploy their attack. They chose well.
This has all been cleaned up now and several new defenses have been installed to prevent this from happening again. Either way, we are currently rebuilding our entire website and code deployment systems, and the new systems we already have in place (which are not yet operational) already have defenses against attacks of this type.
Sansec and FishPig said customers should assume that all modules or extensions are infected. FishPig recommends that users immediately upgrade all FishPig modules or reinstall them from source to ensure that no infected code remains. Specific steps include:
Reinstall FishPig extensions (keep versions)
rm -rf provider/fishpig && composer clear-cache && composer install –no-cache
Upgrade FishPig Extensions
rm -rf provider/fishpig && composer clear-cache && composer update fishpig/* –no-cache
Remove Trojan File
Run the command below and then restart your server.
rm -rf /tmp/.varnish7684
Sansec advised customers to temporarily disable all paid Fishpig extensions, run a server-side malware scanner to detect any installed malware or unauthorized activity, then restart the server to end any background processes. – plan not authorized.