The exploit happened on Sunday and was reported yesterday (Monday). Someone hacked into the source code server (the PHP team has their own “home grown” Git server) for PHP and were able to push some malicious code that would have given the attacker access to execute code on PHP servers. Luckily it was the source code itself and not an official release. That would have been devastating if it wasn’t caught in time of an official release.
Here’s the link to the overview of what happened.
Interesting, good to see there are security reviews in place that allowed this to be caught so quickly.
It is not an uncommon way of trying to get a backdoor from a company. Instead of attacking the company itself, you try to get the backdoor into a software you know they use and trust.
Not that many months ago another similar case was in the news, in that case, it was even worse, as the hackers had the ability to modify the software for over a year. The client group for this software included many fortune 500 companies, and also state departments in US.
Was it not last year, or two years ago one of the official node.js plugins for one of the blockchains has a similar breach? Where it sent the private key to a third party, allowing them to steal your funds.
In the end, this just goes to show that internal security control is important.
This includes the code/libraries you import into your codebase. While it is very convenient to use a third-party package, using it without reviewing it, or allowing it to automatically update the version, can open a can of worms if said package gets breached.
It is also not a bad idea to monitor the traffic on the servers since that allows you to spot anything that is out of the normal. If a server that normally only receives traffic, start to send traffic it should hit the alarm bells.
Another case that just happened, where the code was compromised, and automatically sent to the customers who had auto-update turned on.
Considering the software breached is a Enterprise Password Storage solution, I would expect that a lot of sensitive information has been leaked.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.