Supply chain attacks are on the rise last months. This time, criminals implanted a backdoor on the official PHP git server that pushes unauthorized updates to add a secret backdoor into its source-code.
In detail, the malicious commits were added to the self-hosted “php-src” repository hosted on the git.php.net server, using the name of “Rasmus Lerdord” – the author of the PHP and also Nikita Popov – a software developer from Jetbrains.
The changes are said to have been made yesterday on March 28.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov said in an announcement.
“This line executes PHP code from within the useragent HTTP header (“HTTP_USER_AGENTT”), if the string starts with ‘zerodium’,” PHP developer Jake Birchall said.
Although the changes were reverted now, it’s not clear so far if the tampered source was downloaded and distributed by other parties before the fix.
By examining Darknet forums and niches of this nature, there are no backdoors or entry-points being sold related to this supply chain attack.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.