Timely intervention by PHP developers warded off a potentially massive software supply chain attack against websites using PHP. Attackers pushed in two malicious commits within PHP source code that could lead to remote website takeover through the compromise of the PHP Git server.Â
Cyber criminals recently attempted a major software supply chain attack by compromising the legitimate PHP Git (git.php.net) server and leaving behind two commits within the source code of the widely used scripting language. If used on websites using PHP, this could lead to remote code execution and complete takeover.
According to PHP developer and maintainer Nikita Popov, attackers pushed the two commits in the php-src repository. They added and signed off the malicious commits, one of whichOpens a new window was disguised as a fix to obscure typographical errors, using the names of Popov and PHP designer Rasmus LerdorfOpens a new window . The other commitOpens a new window was disguised as a reversal to the fix.
What could have been a potentially disastrous scenario – considering the language is used by over two-thirds of all websitesOpens a new window – was averted, thanks to the commits’ discovery by developers Markus StaabOpens a new window , Michael VoÅ™ÃÅ¡ekOpens a new window , and Jake BirchallOpens a new window . “This line executes PHP code from within the useragent HTTP header if the string starts with Zerodium,†said VoÅ™ÃÅ¡ek.
Had they been successfully implemented and executed, the malicious code could have created and planted backdoors in websites that used it. The backdoor would have then allowed attackers to remotely execute code and take over complete control of the websites.
The malicious code also contained a reference to exploit acquisition company Zerodium, which develops and acquires zero-day vulnerabilities and exploits from security researchers, and reports the findings to its clients, mainly the U.S. government. Zerodium’s CEO Chaouki Bekrar took to Twitter to refute any association and denigrated the perpetrator(s) of the attack by calling them ‘trolls’.
Cheers to the troll who put “Zerodium” in today’s PHP git compromised commits. Obviously, we have nothing to do with this.
Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun 😃
— Chaouki Bekrar (@cBekrar) March 29, 2021Opens a new window
See Also: Fake Clubhouse App for Android Found Housing the Dangerous BlackRock Malware
How the attackers managed to compromise the PHP Git servers to make the source code changes remains unknown. But the incident has directly led to the decision of moving the PHP repository to GitHub instead of maintaining a separate server.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),†wrote Popov. “While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.â€
Previously, the PHP Extension and Application Repository (PEAR) was compromised in January 2019Opens a new window , due to which the pear.php.net server was shut down temporarily. Recently, a software supply chain attack that infiltrated SolarWinds and infected its Orion network monitoring software devastated hundreds of organizations, including less than a dozen federal agencies.
â—A pair of malicious commits were made in the PHP source code repository over the weekend. These commits were immediately noticed and reverted, and never reached end users.
Because we’re still investigating the root cause, we are putting releases on hold for at least two weeks.
— php.net (@official_php) March 31, 2021Opens a new window
The timeline of PHP repo’s transition to GitHub to mitigate future security threats is unclear. “While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub. Membership in the organization requires 2FA to be enabled,†Popov added.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!