Attackers are currently placing backdoors via compromised shop software on WordPress websites, among other places.
Attackers got into the servers of the online shop software provider FishPig and infected the software with malicious code. Criminals can now access Magento-based shops created with the software via a backdoor. There are now security updates and instructions on how to enter the back door. FishPig is used on WordPress websites, among other things. It is currently unclear how many shops are specifically affected.
If software manipulated by attackers is used in other projects, these are also vulnerable. In this case, one speaks of a supply chain attack, because the supply chain is the source of the evil.
Security researchers from Sansec have become aware of this. FishPig has since confirmed the incident and released a statement. As a result, unknown attackers were able to gain access to FishPig.co.uk and the Extension License system via an unspecified route. As part of this, they placed PHP-based malicious code in the Helper/License.php file.
All FishPig Magento 2 modules should be affected by this. The free extensions on Github are not affected. The unlawful access is said to have occurred on or before August 19, 2022. Anyone who then downloaded the software and set up an online shop with it has very likely caught the Rekoobe malware. Attackers nest on servers and can access them.
What to do?
In its statement, FishPig shows how admins can identify infected shops. They should also update the software quickly. Once this is done, the backdoor should be gone after a restart.