An anonymous reader quotes the Ars Technica report: FishPig, a British maker of e-commerce software used by more than 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach in its distribution server that allowed criminals to secretly infiltrate customer systems. Unknown threat actors used their control of FishPig’s systems to launch a supply chain attack that infected customer systems using the FishPig Magento 2 paid modules with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe pretends to be a benign SMTP server and can be activated by hidden commands related to the processing of a startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows a threat actor to remotely issue commands to an infected server.
“We are still investigating how the attacker gained access to our systems and are currently unsure whether through a server exploit or an application exploit,” Ben Tideswell, FishPig’s lead developer, wrote in an email. “As for the attack itself, we are used to seeing automated application exploits, and this may have been how the attackers initially gained access to our system. However, once inside, they must have hand-picked where and how to place their exploits.’
FishPig is a Magento-WordPress integration vendor. Magento is an open source e-commerce platform used to develop online marketplaces. The supply chain attack only affects the paid modules of Magento 2. Tideswell said the last software made to its servers that did not include malicious code was made on August 6, making it the earliest possible date for the breach to have occurred. Sansec, the security firm that discovered and first reported the breach, said the intrusion began on or before August 19. Tideswell said FishPig had already “sent out emails to everyone who downloaded anything from FishPig.co.uk in the last 12 weeks alerting them to what had happened”. Tideswell declined to say how many active installations of its paid software there are. This message shows that the software has been downloaded more than 200,000 times, but the number of paid customers is less. In a post published after Sansec’s advisory, FishPig describes how the attackers managed the intrusion and remained hidden for so long.