WordPress site backdoored after FishPig supply chain attack The Register

It’s only been a week or so, and it’s clear that there are at least three critical vulnerabilities in WordPress plugins and tools that are now being widely exploited to compromise a large number of websites.

We’ll start with FishPig, a UK-based software maker that integrates Adobe’s Magento e-commerce suite into a WordPress-powered website. FishPig’s distribution system was compromised and its product was altered so that the installation of the code semi-automatically downloaded and ran the Rekoobe Linux Trojan.

Infosec company Sansec raised an alert this week about FishPig’s software behaving weirdly: When a logged-in Magento employee user accesses the deployment’s control panel, the code automatically fetches and runs a Linux binary from FishPig’s backend system, which turns out to be Rekoobe . This would open a back door that would allow criminals to control the box remotely.

After that, crooks can spy on customers, alter or steal data, and more.

According to FishPig’s disclosure, changes were made to its product as early as August 6, after which the offending code has been removed. We’re told the paid version is mostly affected. The free version of the FishPig module available on GitHub is probably clean.

If you are using FishPig’s commercial software, you should reinstall these tools and check for signs of intrusion.

According to FishPig, “it’s best to assume that all paid FishPig Magento 2 modules have been infected.” While Sansec says the company’s free Magento packages have been collectively downloaded more than 200,000 times, it’s unclear how many customers were involved. supply chain attacks. This doesn’t necessarily mean a decent number of paying users, although it gives you an idea of ​​your interest in FishPig’s tools.

While it’s unclear how the attackers compromised FishPig’s backend servers, the results were clear: code was added to the License.php file on FishPig systems, which its products fetched and executed when in use. The PHP file has been altered to download and execute malicious binaries also hosted on the FishPig platform. So, employee users go to their FishPig deployment’s control panel, get and run the changed Remote Hosting License.php, which automatically runs Rekoobe on the user’s web server.

License.php is often checked to ensure deployments are properly paid for and licensed, so it is frequently referenced.

Once Rekoobe infects a host, it deletes its files and hides in memory as a process, waiting for commands from a single IP address located in Latvia. Sansec said it expected the planners of the operation to sell access to servers compromised through the supply chain attack.

Since Rekoobe was discovered in 2015, it has been circulating on the Internet in various forms. According to Intezer’s analysis, the Rekoobe variant used in this attack appears to have been written before 2018.

According to Intezer, newer versions of Rekoobe display hardcoded C2 server addresses and try to rename their own processes, as is the case in this FishPig instance.

E-commerce companies running any FishPig plugins or integrations (free or paid) should follow the company’s prescribed detection and mitigation measures. Affected customers can also contact “anyone concerned about this affecting their website and need help to resolve the issue,” FishPig said.

But wait, there’s more

On top of that, Wordfence reported this month that a WordPress plugin called BackupBuddy, with an estimated 140,000 installs, was under active attack. The software has a vulnerability, fixed in version 8.7.5, that can be used to download files, including sensitive information, from vulnerable installations.

Wordfence also said this week that a zero-day security flaw in a plugin called WPGateway is being widely exploited to add malicious administrator accounts to vulnerable websites. We don’t know of a patch available yet. ®

Leave a Comment

Your email address will not be published.