The British company FishPig, which develops e-commerce solutions (mainly for Magento-WordPress integrations), which have been downloaded more than 200,000 合計で回, has been hacked. Unknown cybercriminals have injected the Rekoobe backdoor into the company’s products in order to attack customers.
私たちもそう書いたことを思い出させてください Hackers Attacked an Anonymous Site for Sending Faeces by Mail, そしてそれも Attackers Stole Credentials from Twilio Employees and Eventually Hacked the Company.
Sansec experts described the attack in detail in their report. According to them, unknown attackers gained control over the FishPig server infrastructure and added malicious code to the company’s software. The researchers confirm the compromise of products such as FishPig Magento Security Suite and FishPig WordPress Multisite, and warn that other paid extensions are likely to be compromised as well. The free tools hosted by the company on GitHub did not seem to be affected by this attack.
専門家によると, hackers injected malicious code into the License.php file, which is responsible for checking the license in FishPig premium plugins. This code downloaded the lic.bin binary from the FishPig servers (license.fishpig.co.uk).
The binary is a malware from the Rekoobe family. 以前, this Remote Access Trojan (RAT) was distributed in conjunction with the Syslogk Linux rootkit. As part of the attack on FishPig, the malware disguises itself as a harmless SMTP server and can be activated using hidden commands related to startTLS processing. Once activated, Rekoobe provides hackers with a reverse shell and allows them to remotely issue commands to the infected server.
Sansec writes that currently Rekoobe is idle and waiting for commands from the hackers’ control server located in Latvia, which the researchers found at 46.183.217[.]2. It is assumed that the attackers behind this attack planned to sell access to the compromised stores to other criminals.
結果として, anyone who installed or upgraded FishPig premium products prior to August 19, 2022 should consider their stores compromised and take the following actions immediately:
- disable all FishPig extensions;
- run a malware scanner on the server side;
- restart the server to end any unauthorized background processes;
- add 127.0.0.1 license.fishpig.co.uk to /etc/hosts to block malware outgoing connections.
Representatives of FishPig told ピーピーコンピュータ reporters that they are currently investigating the incident and studying its consequences.
The infection was limited to obfuscated code in one file of our separate license.fishpig.co.uk, and it has already been removed, and we have added protection against future attacks. FishPig.co.uk was not affected.
We apologize for any inconvenience users may have experienced. This was an extremely smart targeted attack and we will be more vigilant in the future.the company said.
コメントを残す