Fishpig, a UK-based software e-commerce retailer, suffered a cyber-attack, compromising client systems. The company reported that the attack was initiated by a vulnerable FishPig distribution server and impacted as many as 200,000 servers.
After learning about the security vulnerability on its distribution server, which allowed the threat actor to covertly backdoor customer systems, the company advised users to reinstall or upgrade all current program extensions.
Fishpig supply chain attack
According to reports, the unidentified threat actors devised a supply chain attack using Rekoobe (a popular Linux malware) and took control over FishPig’s networks. Rekoobe is a popular Trojan strain capable of converting commands to managing a benign SMTP server. Once triggered, a reverse shell enables the threat actor to issue commands to the compromised server remotely.
After identifying the threat and taking appropriate measures to stop it before it could do any more damage, Ben Tideswell, the leading developer at FishPig, wrote an email addressing the issue. The company is “unsure” what caused the application to exploit but states that it was an automated exploit as the attacker took a manual approach to decide where and how to deploy Rekoobe. According to Tideswell, the company is still looking for the loophole that helped the attacker access the systems.
FishPig is a popular developer and distributor of Magento 2 extensions and Magento websites and provides Magento services worldwide. According to Tideswell, the attack’s initial phase started on August 6, 2022, wherein the attackers didn’t include any malicious code in the systems. However, attackers took the initiative and began the intrusion on or before August 19, 2022, reports Sansec.
The supply chain operation
According to the mail, which was sent to the users who were affected by the attacker, FishPig stated that the threat actor used their access to insert malicious PHP code into a Helper/License.php file, which is present in most of FishPig extensions. The alleged hacker used Rekoobe to delete all files from the disc and only used memory to operate, and disguised itself as a system process so that the security protocols won’t be able to detect inside the systems.
According to FishPig, the malware tried to resemble one of these to hide inside the system.
- /usr/sbin/cron -f
- /sbin/udevd -d
- crond
- auditd
- /usr/sbin/rsyslogd
- /usr/sbin/atd
- /usr/sbin/acpid
- dbus-daemon –system
- /sbin/init
- /usr/sbin/chronyd
- /usr/libexec/postfix/master
- /usr/lib/packagekit/packagekitd
