PHP Git Server Hacked to Plant Malware in Code Base

 

In the most recent software supply chain assault, the official PHP Git repository was hacked and the code base altered. On Sunday, two malevolent commits were pushed to the php-src Git repository kept up by the PHP team on their git.php.net server. The threat actors had signed off on these commits as though these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov. 

The incident is disturbing considering PHP stays the server-side programming language to control more than 79% of the sites on the Internet. In the noxious commits [1, 2] seen by BleepingComputer, the assailants published a strange change upstream, "fix typo" under the pretence this was a minor typographical amendment. 

As indicated by Bleeping Computer, the code has all the earmarks of being intended to embed a backdoor and make a situation wherein remote code execution (RCE) might be conceivable. Popov said the development team isn't sure precisely how the assault occurred, however, pieces of information show that the official git.php.net server was likely undermined, instead of individual Git accounts. A remark, "REMOVETHIS: sold to zerodium, mid-2017," was included in the script. There is no sign, nonetheless, that the exploit seller has any inclusion in the cyberattack. 

Zerodium's chief executive Chaouki Bekrar named the culprit as a "troll," remarking that "likely, the researcher who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun." The commits were recognized and returned before they made it downstream or affected clients. An investigation concerning the security incident is currently in progress and the team is scouring the repository for some other indications of malevolent activity. Meanwhile, however, the development team has concluded now is the opportune chance to move permanently to GitHub. 

"We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server," Popov said. "Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net." Developers with past write access to the task's repositories will now have to join the PHP group on GitHub.


from E Hacking News - Latest Hacker News and IT Security News https://ift.tt/39spksX

Comments