• World CyberCon India
Data Breaches Firewall Daily

Fishpig Supply Chain Cyber Attack Compromised Over 200,000 Servers

UK-based software e-commerce developer and retailer, Fishpig suffered a supply chain attack that may have compromised over 200,000 servers.

Fishpig Supply Chain Cyber Attack Compromised Over 200,000 Servers
  • PublishedSeptember 14, 2022
Listen to this story

Fishpig, a UK-based software e-commerce retailer, suffered a cyber-attack, compromising client systems. The company reported that the attack was initiated by a vulnerable FishPig distribution server and impacted as many as 200,000 servers.

After learning about the security vulnerability on its distribution server, which allowed the threat actor to covertly backdoor customer systems, the company advised users to reinstall or upgrade all current program extensions.

Fishpig supply chain attack

According to reports, the unidentified threat actors devised a supply chain attack using Rekoobe (a popular Linux malware) and took control over FishPig’s networks. Rekoobe is a popular Trojan strain capable of converting commands to managing a benign SMTP server. Once triggered, a reverse shell enables the threat actor to issue commands to the compromised server remotely.

After identifying the threat and taking appropriate measures to stop it before it could do any more damage, Ben Tideswell, the leading developer at FishPig, wrote an email addressing the issue. The company is “unsure” what caused the application to exploit but states that it was an automated exploit as the attacker took a manual approach to decide where and how to deploy Rekoobe. According to Tideswell, the company is still looking for the loophole that helped the attacker access the systems.

FishPig is a popular developer and distributor of Magento 2 extensions and Magento websites and provides Magento services worldwide. According to Tideswell, the attack’s initial phase started on August 6, 2022, wherein the attackers didn’t include any malicious code in the systems. However, attackers took the initiative and began the intrusion on or before August 19, 2022, reports Sansec.

The supply chain operation

According to the mail, which was sent to the users who were affected by the attacker, FishPig stated that the threat actor used their access to insert malicious PHP code into a Helper/License.php file, which is present in most of FishPig extensions. The alleged hacker used Rekoobe to delete all files from the disc and only used memory to operate, and disguised itself as a system process so that the security protocols won’t be able to detect inside the systems.

According to FishPig, the malware tried to resemble one of these to hide inside the system.

  • /usr/sbin/cron -f
  • /sbin/udevd -d
  • crond
  • auditd
  • /usr/sbin/rsyslogd
  • /usr/sbin/atd
  • /usr/sbin/acpid
  • dbus-daemon –system
  • /sbin/init
  • /usr/sbin/chronyd
  • /usr/libexec/postfix/master
  • /usr/lib/packagekit/packagekitd
Written By

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.