Episode 111: PHP Git Repository Compromised

The self-hosted Git repository for PHP was compromised, with attackers adding a backdoor to a development version of PHP 8.1. The intrusion was detected by the PHP community quickly, and no production environments were affected. Ubiquiti experienced an intrusion in January that was far worse than originally reported; attackers gained access to nearly all of the AWS assets for the company who has shipped 85 million IoT devices. Some OpenSSL vulnerabilities were recently patched, and two new vulnerabilities in Linux-based operating systems could let attackers circumvent Spectre mitigations to obtain sensitive information from kernel memory.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:22 PHP Compromised: What WordPress Users Need to Know
5:11 Whistleblower: Ubiquiti Breach “Catastrophic”
8:44 OpenSSL fixes high-severity flaw that allows hackers to crash servers
10:38 New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems
12:40 Defiant is hiring!
12:55 Barista to World Class Threat Researcher: Chloe’s Journey at Wordfence

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 111 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security and innovation. I am Ram Gall, Threat Analyst at Wordfence and with me is Director of Marketing Kathy Zant. Kathy, how are you?

Kathy:
Things are going really well. Doing well over here. Wow, we’ve had a busy week haven’t we?

Ram:
Oh boy, yes we have. I mean, first that PHP thing.

Kathy:
Yeah. Welcome to Monday morning. PHP is compromised. That was a… what a wake up call.

Ram:
Everyday is Monday or Tuesday.

Kathy:
It was crazy. So Chloe jumped on this first thing on Monday morning, she noticed that there was a rumor in the news. It was super early, but we immediately started to take a look at what was happening with the PHP git repository that they hosted themselves. And this apparently had a compromise over the weekend. And we wanted to look at what WordPress users needed to know. So we posted a blog post on Monday about this. Ram what do you know about what happened with this self-hosted repository?

Ram:
There’s a few things of note, one of them is that the changes were made to a development branch.

Kathy:
Okay. And this was for PHP version 8?

Ram:
8.1, I want to say, it hasn’t actually been released yet. No production web servers should be using this at all. So the good news is this shouldn’t really impact any WordPress customers, unless you’re the sort of person who like automatically downloads and compiles and runs the bleeding edge dev version of PHP. Because you like to live on the edge and there’s maybe two people out there that do that for the production systems, if that so-

Kathy:
Yeah. Well, I like to live on the edge for some things, but PHP version 8 is not one of those things.

Ram:
Yeah. And I mean, there’s a few other interesting things. They caught it real fast. It looks like the attackers tried to point the finger at a company that buys zero-days, Zerodium.

Kathy:
Zerodium?

Ram:
Yeah. But Zerodium has denied any involvement.

Kathy:
Right. And it looks like the CEO of Zerodium released a statement on Twitter, basically saying, “Cheers to the troll who put Zerodium in today’s PHP git compromised commits,” and said that the researcher who found the exploit was probably trying to sell it to entities, but none wanted it. So he decided to just burn it for fun. So what exactly did they do to the PHP git repo?

Ram:
They basically added a back door that would have run on every site running PHP. If it had actually made to a production version where if you added a user agent that started with Zerodium, you could then send commands to that server. It was really simple. It was fairly elegant. It was also glaringly obvious. I think that, otherwise I might think that the Zerodium CEO was protesting a little bit too much, but I think in this case he was probably offended that it was so amateurish.

Kathy:
Yeah.

Ram:
With that said, PHP has denied that it was due to an exploited or user account take over compromised credentials, which means that… And again this Zerodium CEO did imply that someone actually burned an exploit. So this is a little troubling because it means that there’s an exploit or a zero-day vulnerability out there, floating around for self-hosted Git, that is kind of the implications of this. The PHP organization decided to migrate to GitHub, which is centralized. So when we think of Git, we usually think of GitHub, at least if you’re fairly new to this, but Git was originally intended to be a decentralized source code repository system. It looks that there is kind of an implication that there is, or was some kind of vulnerability and git itself that was used to exploit this although I don’t know if it’s patched yet.

Kathy:
The PHP group is moving to GitHub and they’re taking some additional steps in order to secure their repo on GitHub. What, now as a WordPress user, this particular exploit means nothing to me. Should I worry about what this means for WordPress and PHP going forward?

Ram:
Probably not. PHP is actually taking steps to make their organization and their source code more secure. So I think the likelihood of something this happening in the future for PHP is actually lower than it would have been had it not happened.

Kathy:
When I talked about evaluating plugins at various WordCamps and whatnot. One of the things that I’ve always said to WordCamp attendees is that one of the great things about WordPress is that it’s an open source system. It’s an open source community. So if there is ever a problem with anything in the repo, it gets noticed pretty quickly, and the same thing happened here. It seems the open source community aspect of WordPress and what keeps WordPress safe and all of these eyes on the source code, it also applies to PHP.

Ram:
Yeah. I mean, in this case, Nikita Popov one of the main contributors to the project was incredibly transparent and basically let everyone know that they noticed it immediately after it happened. This is the kind of thing that it’s laudible, and that’s one of the great things about open source. When we see something, we say something as far as malicious code is concerned, unlike a certain other company … That was-

Kathy:
Another one of your great segues, Ram.

Ram:
Yes. Unlike a certain other company that was breached in January. This was kind of overshadowed by Solar Winds because everyone was talking about nothing but Solar Winds at the time. Because it was the big thing. But apparently Ubiquiti got breached in January, the company that makes the mesh routers and smart devices. I used to work in an office that used Ubiquiti routers, and I know people that have Ubiquiti home routers.

Kathy:
Yeah. And just looking at our notes, it looks there’s over 85 million Ubiquiti devices out there.

Ram:
Yeah. Anyways, they had a data breach in January, and they claimed involve customer credentials being stolen and they blamed it on a third-party vendor. But now a whistleblower has come forward saying that the attacker has actually gained admin access to their servers on AWS, according to Krebs on Security. So the informant says the attackers had access to privileged credentials that were stored on a Ubiquiti employee’s Last Pass account. So they gained root administrator access to all of Ubiquiti’s AWS accounts, including all the data buckets and S3, all the application logs, all the databases, all the database credentials, all the secrets required to impersonate people’s sign-ons, literally everything. It would have given the attackers the ability to probably compromise all of the routers and smart devices that allowed remote access, which I believe was on by default. So that, would be most of them.

Kathy:
That is absolutely insane. Wow! So what do we know about what happened with the Ubiquiti devices?

Ram:
We don’t still don’t actually know much about the intrusion vector other than attackers gaining access to the Last Pass account. There’s a bunch of ways that could have happened if they, for instance, use the same password as their master Last Pass password as had been in a separate data breach. That is the thing about data breaches that they tend to get chained.

Kathy:
Yes, exactly. And it looks the intruders, according to the Krebs article, intruders responded by sending a message saying they wanted 50 Bitcoin, which changes in value every other minute, but-

Ram:
But it’s a lot, no matter what minute it is. I mean, that’s a lot of Bitcoins.

Kathy:
At the time of this publication and reading Krebs, it’s 2.8 million US dollars in exchange for remaining quiet about this particular breach. So a very scary breach indeed. Huh?

Ram:
Yeah, I guess Ubiquiti didn’t pay up. And yet, despite their breach disclosure, their stock price still surged after the disclosure. Though, I guess it had dropped a little bit after this news came out, though it’s unclear whether or not that’s just because of the general decline in tech stock prices or because of the… “Hey, these guys were not actually transparent about what happened,” which is honestly more concerning. It is kind of obvious that companies are not getting punished as much as they used to be for letting people know that they’ve had a breach. I mean, we’ve talked about this in the past about how you know a lot of plugins are concerned about what happens to their install count after we disclose the vulnerability in them. But everyone recovers pretty quickly in it. Even if you’re not transparent about it, but you really should be transparent about it, please be transparent about it.

Kathy:
The security researchers would really like you to be transparent about it. What do we know about OpenSSL? It looks like they had some high severity flaw that allowed hackers to crash servers.

Ram:
There’s actually two different vulnerabilities. One of them is a lot more troubling in practice, and one of them is much more scary in theory, but probably harder to pull off. So one of them basically was a denial of service attack. You could basically connect to a server running a vulnerable version and then renegotiate the connection. When you send the renegotiation requests, you can sort of remove something that the other server’s expecting, a critical piece of information. So it’s like, “Hey, I want to renegotiate this request, but I’m going to leave out this thing you’re expecting.” And that was enough to crash the server. The other one was a little bit scarier though less likely to be exploited in the real world for a bunch of reasons. Number one, and that’s that it could only be exploited if the client actually had strict checking enabled.

Ram:
So, if they did, if you’re sending a request to a server and you have strict checking enabled, it can fool you into thinking that it’s got a certificate for a different domain or a different organization. It can pretend to be another site than it actually is. Most of the time, this isn’t really a big deal because you’d still have to check the domain and all that. But in theory, it’s scary just because half of the promise of SSL/TLS certificates is that someone, a certificate authority has vouched for the identity of the site. Even if it’s Let’s Encrypt is vouching that yes, the person who has the certificate has control of the domain. We know because we added this record that we checked on their domain.

Kathy:
So OpenSSL version 1.1.1h and newer are vulnerable and you should update to 1.1.1k as soon as possible. So, that will keep your server safe. It looks a Spectre, not meltdown, but Spectre is back in the news. What’s going on here?

Ram:
Just sort of a recap, this is from like 2018, but you could extract sensitive data from a computer basically by listening to the kind of stuff it was guessing. It tried to save time by sort of guessing what would come next and you could kind of extract stuff encryption keys from that. Anyways, eventually chip manufacturers and operating systems released a bunch of patches. And you remember how that made everything like 20% slower?

Kathy:
It did. I remember.

Ram:
Turns out that you can get around those patches.

Kathy:
Oh boy.

Ram:
Yeah. That’s the bad news. And it’s kind of weird because literally just last week, Google came out with a proof of concept that would let you exploit Spectre in the browser, if you are on unpatched computer. This is something that… This is a real, for real world threat. The good news is that it still took Google two years to come out with a realistic proof of concept. So most of the people using any of these workarounds or exploits are probably going to be nation States or at least APTs. You personally are probably not going to suffer from this, but it still kind of goes to show that there’s no such thing as perfect security.

Kathy:
No such thing as perfect security at all. But this is definitely very interesting for security researchers, probably not going to affect any WordPress sites out there, but because WordPress sites are running on servers that are using chips to operate, this does have an effect. So we will have links-

Ram:
And people who visit WordPress sites are also running on chips that are maybe vulnerable to this.

Kathy:
Chips are everywhere.

Ram:
Chips are everywhere. I just ate some for breakfast.

Kathy:
The American kind or the British kind?

Ram:
Tortilla.

Kathy:
The Arizona kind. I got it.

Ram:
The Arizona kind. Yeah.

Kathy:
Got it. Okay, excellent. So Wordfence is still hiring. We still have a few open positions. As a reminder, we have a $500 gift card. If you refer to us to a successful candidate who joins our team, we will have links to that. In our show notes. We also had a video come out this week from a recent Wordfence live episode where Chloe talked about sort of how she started here at Wordfence and how she became the world-class threat researcher that she is today, sort of an interesting career journey, but we’ve all kind of had those here at Wordfence, haven’t we? Ram?

Ram:
There’s this like mysterious thing where people who’ve worked in coffee shops are really good at threat response.

Kathy:
Yes. You worked in a coffee shop, didn’t you?

Ram:
Yes, I did.

Kathy:
Yeah. And you’re good at threat response. So. Hey.

Ram:
Hey.

Kathy:
So, take a look at Chloe’s video and if you know of anybody who would like to join our team, definitely send them to our employment listings-

Ram:
Especially if they’ve worked in coffee shops at some point in the past.

Kathy:
Exactly. Yes, because we do have coffee machines now that we need to learn.

Ram:
Yes, I did actually get my MoccaMaster and it’s in pistachio! It is amazing. The coffee is brilliant. So, I am way more caffeinated than I was the same at last week.

Kathy:
Excellent. Great. Well, thanks for joining me and bringing all of your caffeination this week, Ram. It’s always good to talk to you about what’s happening in security news.

Ram:
Yep. Thanks. And bye.

Kathy:
Bye. We’ll talk to you next week.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 111: PHP Git Repository Compromised appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Tap To Call