WordPress Sites Compromised Due to FishPig Supply Chain Attack

Numerous attack scenarios were observed targeting WordPress recently. These attacks abused WordPress plugins and tools to exploit websites. Threat actors infected FishPig’s distribution server as part of a supply chain attack. The vendor’s service integrates Adobe’s Magento eCommerce platform into WordPress websites. Attackers injected malicious code into FishPig’s software to access the WordPress websites. 

How Do Attackers Compromise FishPig Modules? 

Although it is unknown how attackers initially gained access to FishPig’s server infrastructure, it is known that malicious code was added to the License.php file hosted on license.fishpig.co[.]uk, which is used initially to verify the customer’s product license.

When a logged-in user visits the control panel, the malicious code downloads and executes a Linux library (lic.bin) from FishPig’s servers. This launches the Rekoobe Linux trojan.

The Rekoobe deletes its files after infecting a host and runs stealthily in memory as a process. It awaits commands from an IP address in Latvia (46.183.217.2).

As a result, a backdoor is created, enabling attackers to control the box remotely and access customer data.

Conclusion and the Vendor’s Notice 

FishPig stated that all paid modules of FishPig Magento 2 were likely affected. The free Magento modules of FishPig on GitHub have over 200,000 downloads, which are said to be clear of malicious code. 

According to Sansec, it is expected for the threat actor to sell access information of servers breached in this supply chain incident. 

FishPig published a security announcement to let customers know the malicious code is removed from the product, and a reinstall can solve the problem quickly.

Actively Exploited Zero-Day Vulnerability in WPGateway

Another flaw was found to be actively exploited in a WordPress plugin. It is a zero-day vulnerability (CVE-2022-3180) that is utilized to add a malicious administrator user to WordPress sites using the WPGateway plugin, which was discovered by the Wordfence Threat Intelligence team. 

With the help of the WPGateway WordPress plugin, administrators may simplify several activities, such as setting up and backing up websites and controlling themes and plugins from a single dashboard. 

Over 4.6 million attempts to exploit this vulnerability against more than 280,000 sites have been stopped by the Wordfence firewall in the last 30 days. 

The most frequent indicator of compromise is the addition of a malicious administrator with the username rangex.

You can also look for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1 in your website’s access logs to determine if it has been compromised. 

BackupBuddy Plugin Also Contains a Flaw 

In addition, Wordfence says another WordPress plugin named BackupBuddy was actively attacked this month, with an estimated 140,000 installations.

Version 8.7.5 of the software fixes a vulnerability that might be used to download files from susceptible installations, including sensitive data. 

The Importance of Monitoring Third-Party Components 

Today’s corporate activities are supported by a worldwide network of suppliers, third-party services, and supply chains.

Unfortunately, this dependence raises the attack surfaces of firms and enables more access opportunities for exploitation by hackers. 

Open-source reports show that in 2021, the number of supply chain attacks increased by 430%. 

Automated technologies can help identify, monitor, and alert you about the potential risks of third-party libraries and other components used by a website. This would be a preferable approach to keep your company safe. 

A complete website monitoring service is provided by SOCRadar, which first identifies the entirety of a company’s active and inactive websites before performing deep digital footprinting on each of them to find login pages, CMS apps, and third-party libraries.