Malware has plagued the supply chain during the pandemic, providing an easy route for hackers to infiltrate systems relying on third-party applications and services. A new attack has been reported this week – on Sunday last; the PHP project announced that hackers gained access to its primary Git server. They proceeded to upload two malicious commits, including a backdoor. Luckily, the commits were discovered before being sent to production.
PHP is a general-purpose scripting language especially suited to web development. It is extremely popular and a powerful tool for making dynamic and interactive Web pages. PHP can be embedded into HTML, which can make a PHP-driven attack particularly dangerous.
The attacks were pushed to the php-src (source) repository, meaning the hackers could pull off a supply chain attack if developers picked up the code, believing it to be legitimate.
Both pushes, which be viewed here, claimed to be ‘fixing a typo’ within the code. The pushes were made using the accounts of PHPs founders, Rasmus Lerdorf and Nikita Popov. This gave the push an air of credibility, as it appeared to come from trusted sources.
In a statement, Popov explained, “We don’t yet know how exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).”
Popov went on to explain that PHP would be moving its servers to GitHub, hoping for added security.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.”
Popov also explained they would review their entire repository, searching for any corruption or traces of Malware.
Craig Young principal security researcher at Tripwire said regarding the attack, “Had it not been detected, the code could have ultimately poisoned the binary package repositories which countless organizations rely upon and trust. Open-source projects which are self-hosting their code repositories may be at increased risk of this type of supply chain attack and must have robust processes in place to detect and reject suspicious commits”
Malware Attacks On The Supply Chain
As business relies more on third-services, the digital supply chain has placed a target on its back for hackers with malware. While a business or industry may employ tight cybersecurity practices, a supply chain malware attack can mean targeting the weakest link and finding a foothold into a secured business. These sorts of attacks have been rife in the last 12 months, most notably the SolarWinds attack, which SaferNet covered previously.
Weaponizing code dependencies, like with PHP, is a relatively new attack vector. Last year, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.
In December, RubyGems, an open-source package repository and manager for the Ruby web programming language, took two of its software packages offline after they were found to be laced with malware.
And in January, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.
Previous to the pandemic, one of the most infamous malware supply chain attacks occurred in 2017, which was attributed to Russia. The NotPetya malware compromised Ukrainian accounting software as part of an attack designed to target the country’s infrastructure, but the malware spread quickly to other countries. NotPetya wound up doing more than $10 billion in damage and disrupted operations for multinational corporations such as Maersk, FedEx, and Merck.
Supply chain attacks are attractive to hackers because when commonly used software is compromised, the attackers could potentially gain access to all the enterprises that use that software.
Protection
As cyberattacks evolve and become more frequent, it’s important that homes and businesses have the right tools to combat the threats they’re facing. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.