Attackers Mount Magento Supply Chain Attack By Compromising FishPig Extensions
FishPig, a UK-based company that develops extensions for the popular open-source e-commerce platform Magento, has announced that its paid software offerings were injected with malware after its distribution server was compromised.
How Attackers Compromised FishPig Extensions
Sansec Researchers said that the FishPig distribution server was compromised on or before August 19. “Any Magento store that has installed or updated paid Fishpig software since then is likely running Rekoobe malware,” they noted.
FishPig said the compromise could have happened anytime after August 6. They haven’t said how the attackers managed to break into the server – they may not be sure yet, anyway – but they do know that the attackers managed to inject malicious PHP code into the Helper/ License.php, which is included with most FishPig extensions.
Ben Tideswell, lead developer of FishPig, Told Ars Technica that attackers took advantage of its custom system that encrypts extension code before it is made available for download, thus hiding its existence from users and malware scanners.
The injected malicious code installs the Rekoobe remote access Trojan which, once launched, deletes all malicious files and runs in memory, Sansec researchers explained. Then it hides as a system process and waits for commands from a control server in Latvia.
The only good news related to this Magento supply chain attack is that there is no evidence that the compromised facilities were exploited.
“We expect that access to the affected stores could be sold en masse on hacking forums,” the Sansec threat researchers noted, and said they had not yet detected any abuse. monitoring via the C2 server.
The number of facilities affected is unknown.
FishPig urges users to assume that all paid FishPig Magento 2 modules have been infected and advises them to upgrade all FishPig modules or reinstall existing versions from source.
They also provided a command to remove the Rekoobe backdoor from their system and a test tool to check FishPig files for infection. “We are currently offering a free cleanup service to anyone who is concerned that this is affecting their site and needs help fixing it,” they said. added.
Sansec advises affected merchants to temporarily disable any paid FishPig extension, run a server-side malware scanner to detect installed malware, and finally restart the server to terminate unauthorized background processes.