It’s only been a week or so, and there are obviously at least three critical holes in the WordPress plugins and tools that are being exploited in the wild right now to compromise loads of websites.
We’ll start with FishPig, a UK-based software maker that integrates Adobe’s Magento e-commerce suite into WordPress-powered websites. FishPig’s distribution systems were compromised and its products modified so that installations of the code semi-automatically download and run the Linux Rekoobe Trojan.
The Infosec Sansec team sounded the alarm this week that FishPig’s software was acting strangely: when a deployment’s control panel was visited by a logged-in Magento user, code would automatically fetch and run from back-end systems. end of FishPig a Linux binary which turned out to be Rekoobe. This would open a backdoor allowing miscreants to remotely control the box.
After that, crooks might spy on customers, modify or steal data, etc.
According to FishPig’s disclosure, its products were modified as early as August 6, and the offending code has since been removed. We are told that the paid versions were mainly affected. The free versions of FishPig modules available on GitHub were probably clean.
If you are using commercial software from FishPig, you should reinstall the tools and check for signs of compromise.
According to FishPig, it is “best to assume that all paid FishPig Magento 2 modules have been infected”. It’s unclear exactly how many customers were caught in the supply chain attack, although Sansec said the company’s free Magento packages have been collectively downloaded more than 200,000 times. This doesn’t necessarily mean that there is a comparable number of paying users, although it gives you an idea of the interest in FishPig’s tools.
While it’s unclear exactly how the attackers penetrated FishPig’s backend servers, the result was clear: code was added to the License.php file on FishPig’s systems that its products fetch and run when they are used. This PHP file had been modified to download and execute a malicious binary also hosted on FishPig’s platform. Therefore, a staff user accesses the control panel of their FishPig deployment, the modified remotely hosted License.php file is retrieved and executed, which automatically runs Rekoobe on the user’s web server.
License.php normally checks that the deployment is properly paid for and licensed, hence why it is consistently referenced.
Once Rekoobe infects a host, it deletes its files and remains hidden in memory as a process, where it waits for commands from a single geolocated IP address in Latvia. Sansec said he expects the mastermind of this hug to sell access to the servers compromised by this supply chain attack.
Rekoobe has been floating around the internet in various guises since its discovery in 2015. The variant of Rekoobe used in this attack appears to have been written no earlier than 2018, according to Intezer’s analysis.
According to Intezer, newer versions of Rekoobe display hard-coded C2 server addresses and attempt to rename their own process, as is the case in this FishPig instance.
E-commerce businesses running any of FishPig’s plugins or integrations – free or paid – should follow company-mandated detection and mitigation measures. FishPig said affected customers can also request “a free cleanup service for anyone who is concerned this is affecting their site and needs help resolving it.”
But wait, there’s more
On top of that, Wordfence reports this month that a WordPress plugin called BackupBuddy, with around 140,000 installs, was under active attack. The software has a vulnerability, fixed in version 8.7.5, which can be exploited to download files, including sensitive information, from vulnerable installations.
Wordfence also said this week that a zero-day security flaw in a plugin called WPGateway is being exploited in the wild to add malicious administrator accounts to vulnerable websites. We are not yet aware of a patch available for this. ®