Mar 29 2021

Hackers breached the PHP ‘s Git Server and inserted a backdoor in the source code

Category: BackdoorDISC @ 9:04 am

Threat actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code.

Unknown attackers hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code.

On March 28, the attackers pushed two commits to the “php-src” repository hosted on the server, they used the accounts of Rasmus Lerdorf, the PHP’s author, and Jetbrains developer Nikita Popov.

Maintainers of the project are investigating the supply chain attacks, experts believe attackers have compromised the server.

“We don’t yet know how exactly this happened, but everything points towards a compromise of the server (rather than a compromise of an individual git account).” wrote Popov. “While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to”

The maintainers of the PHP reverted the changes and are reviewing the repositories to detect any other evidence of compromise beyond the two referenced commits.

In the future, in order to access the repositories, users will now need to be part of the php organization on GitHub and their account will have 2FA enabled. Adopting this new configuration it is possible to merge pull requests directly from the GitHub web interface.

At this time, it is not immediately clear if the backdoor was downloaded and distributed by other parties before the malicious commits were detected.

Tags: Backdoor, Git Server, rootkits

Dec 21 2020

SUPERNOVA, a backdoor found while investigating SolarWinds hack

Category: HackingDISC @ 5:48 pm

While investigating the recent SolarWinds Orion supply-chain attack security researchers discovered another backdoor, tracked SUPERNOVA.

The investigation of the SolarWinds Orion supply-chain attack revealed the existence of another backdoor that was likely used by a separate threat actor.

After the initial disclosure of the SolarWinds attack, several teams of researchers mentioned the existence of two second-stage payloads.

Security experts from Symantec, Palo Alto Networks, and Guidepoint reported that threat actors behind the SolarWinds attack were also planting a .NET web shell dubbed Supernova.

Researchers from Palo Alto Networks revealed that the malicious code is a tainted version of the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll” included in the SolarWinds Orion software.

“In the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, but little detail of its operation has been publicly explored.” reads the analysis published by Palo Alto Networks.

“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request. In other words, the SolarStorm attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.”

Source: SUPERNOVA, a backdoor found while investigating SolarWinds hack

Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor

Tags: Backdoor, SolarWinds hack, SUPERNOVA

Aug 31 2020

Hackers are backdooring QNAP NAS devices with 3-year old RCE bug

Category: Hacking,MalwareDISC @ 3:58 pm

Hackers are scanning for vulnerable network-attached storage (NAS) devices running multiple QNAP firmware versions, trying to exploit a remote code execution (RCE) vulnerability addressed by QNAP in a previous release.

Source: Hackers are backdooring QNAP NAS devices with 3-year old RCE bug

CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malwareQSnatch malware, first spotted in late 2019, has grown from 7,000 bots to more than 62,000, according to a joint US CISA and UK NCSC security alert.

QSnatch And How To Protect Your QNAP NAS From Online Intruders

QNAP urges users to update Malware Remover after QSnatch alert

Tags: Backdoor, backdooring