Posted on March 31, 2021 at 5:30 PM
A recent report has revealed that a threat actor had added a backdoor to a PHP programming language source code. According to the report, the incident has caused a flaw on websites that would have led to a complete takeover.
Over the weekend, two updates were sent to the PHP Git server, which would have allowed visitors with not an authorization to execute any code they want. According to the developers, the code execution is possible if a PHP-powered website runs those two updates.
The updates were made under the account names of two popular PHP developers, Nikita Popov and Rasmus Lerdorf.
Popov stated that no one is sure how the hackers were able to compromise the servers, but an investigation is ongoing. He added that the whole situation is coming from the infiltration of the git.php.net server and not from the infiltration of an individual git account.
Zerodium referenced in the attack
The update was allegedly made to correct a typo, with the first update coming before the second. After the developers spotted the first update, Voříšek discovered the second malicious commit, made under Popov’s account name, allegedly reverting the type fix made by the previous malicious update.
It’s not clear why the updates referenced Zerodium, a broker who sells exploits to government agencies for investigation purposes. But the chief executive officer of the company Chaouki Bekrar said investigations revealed Zerodium does not have a hand in the exploit.
“Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits,” he stated.
He added that the researchers that discovered the vulnerability burned it for fun probably because they didn’t succeed in their attempt to sell to several entities they approached.
Before the recent breach, the PHP Group was in charge of all write access to the repository on a single grit server. They utilized an internally-made system known as Karma.
This offered different access levels and privileges to the users, although it depends on previous contributions, while GitHub was regarded as a smaller repository.
However, the self-hosted repository has been abandoned by the PHP Group and replaced with GitHub.
As a result of the change, GitHub is now regarded as the “canonical” repository. The Karma system is no longer used by the PHP Group.
In its place, contributors are allowed to become part of the PHP organization on GitHub. But for them to make commits, they must log in to their accounts using two-factor authentication.
Git infrastructure is a security risk
After the breach, revealed that the PHP developers stated that the standalone Git infrastructure is an unnecessary security risk.
Consequently, they plan to dissolve the git.php server and establish GitHub as the main source for PHP repositories. In the future, the changes to all PHP source code will not be done on git.php.net but rather directly to the GitHub server.
The hacking incident was revealed publicly by developers Michael Voříšek, Jake Birchallf, and Markus Staab on Sunday evening. It was discovered when they were scrutinizing a commit made the previous day.
HD Moore, Chief executive officer of network discovery platform Rumble, opined that the exploit was carried out by those who are trying to prove a point about their unauthorized access. He stated that the motive of the threat actors wasn’t necessarily to backdoor sites that utilize PHP.
Php.net servers have been compromised in the past
Although php.net servers are considered very strong when it comes to security, the server has had its share of vulnerability issues Apart from this weekend, the server has also been compromised in the past.
The previous incident happened in early 2019 when the threat actors tried to carry out a supply chain attack. The PHP application repository was hit at the time, leading to a temporary shutdown of most of its site. It was discovered that the threat actors planted a malicious code in place of the main package manager.
The PHP group has admitted then that those who have installed PEAR PHP in the last six months may have been affected.
The attacks are worrisome for website owners because PHP runs the majority of the websites. About 8 in 10 websites run PHP, which shows how it can affect millions of sites.