A Company Called FishPig Has Been Pwned… And This Could Lead To The Pwnage Of 200K Websites That Use Their Software…. Yikes!

A reader of this blog brought the story of a company called FishPig. I’m not sure that’s the best name for a company, but whoever. Anyway, they were apparently pwned by hackers and here’s the fallout from that:

FishPig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems.

The unknown threat actors used their control of FishPig’s systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by covert commands related to handling the startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely issue commands to the infected server.

“We are still investigating how the attacker accessed our systems and are not currently sure whether it was via a server exploit or an application exploit,” Ben Tideswell, the lead developer at FishPig, wrote in an email. “As for the attack itself, we are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system. Once inside though, they must have taken a manual approach to select where and how to place their exploit.”

FishPig is a seller of Magento-WordPress integrations. Magento is an open source e-commerce platform used for developing online marketplaces.

Well that concerns me right out of the gate as this blog runs on WordPress. I only run a handful of plug-ins and none of them are from this company as far as I recall. But I’ll be checking the few plug-ins that I use on this site to ensure that I personally haven’t been pwned. If you run a WordPress site or use Magento, you might want to do the same thing. Like now. The article that I linked to can help you with that if you’re unsure as to what you should be looking for and doing.

This is your classic supply chain attack. And it illustrates why you need to be on top of everything that you use in your software stack. As well as being on top of what your vendors use in their software stack. Because anything that you use, or they use, no matter how minor, can lead to you getting pwned by hackers.

Leave a Reply