It hasn’t been long enough since the Microsoft’s Exchange Server attacks that we have witnessed another one.
This time, it’s the official Git server in the PHP programming language. A supply chain attack pushed some malicious updates and inserted a secret backdoor into the source code. Reportedly, the serves were compromised on 28th March. This malicious actor tried to attack and push the backdoored code and was disguised as a developer.
Details About The Attack
These two poisonous bugs entered the self-hosted “Php-src” repository that is hosted on the git.php.net server. Illegitimately, these malicious actors used the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains.
“We don’t yet know how exactly this happened, but everything points toward a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov mentioned in a public notice.
Tentatively, these malicious changes came to the public eye by Sunday night. They were discovered by developers including Markus Staab, Jake Birchall, and Michael Vorisek while they were analyzing a previously made commit on Saturday.
The update, which appears to ‘fix a typo’, was made under an account that was using Lerdorf’s name.
Not long after the first catch, Voříšek spotted the second malicious commit, which was made under Popov’s account name. It appears to revert the previous ‘typo fix’.
Git.php.net server will be discontinued
Before talking about the discontinuation of the server, it is important to mention some critical details regarding the attack.
Interestingly, the code of both the commits gave a reference to ‘Zerodium.’ ZERODIUM is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity research. In simple terms, they actually, buy exploits from researchers and sells them to government agencies for use in investigations or other purposes. There is still ambiguity on the matter that why Zerodium was referenced, although the matter is being investigated.
But, Zerodium was very quick in response, when they heard of the accusation. Immediately, the company’s CEO, Chaouki Bekrar, tweeted, “Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits,” he added, “Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.”
The team working on PHP has discontinued the git.php.net server and the repositories on GitHub, which were previously only mirrors, will become canonical, according to them.
Now, instead of the previously followed norm, contributors will have to be part of the PHP organization on GitHub. Additionally, they’ll be using two-factor authentication for accounts with the ability to make commits.
According to current estimations, nearly 80 percent of the websites on the internet are run by PHP. Till now, there are no reports regarding the malicious changes causing damage to their back-end.
HD Moore, CEO of Rumble, a network discovery platform said that these changes were made by people to brag about their unauthorized access to the PHP Git server as there were no serious damages done.