PHP Git Breached – 2 Commits Under Developers Name’s Infected - Binary Defense

Threat Watch

Threat Watch PHP Git Breached – 2 Commits Under Developers Name’s Infected

PHP Git Breached – 2 Commits Under Developers Name’s Infected

On Sunday PHP developers released a blog post announcing compromise of their Git repository and source infected. In light of this breach the developers have decided to move maintenance to GitHub proper and no longer maintain their own infrastructure at https://git.php.net for security and ease of use. While investigation is still underway it should be noted 2 commits are poisoned and not PHP entirely. Nikita Popov commented that within a few hours the malicious code was observed and reverted immediately.

“Yesterday (2021-03-28) two malicious commits were pushed to the php-src

repo [1] from the names of Rasmus Lerdorf and myself. We don’t yet know how

exactly this happened, but everything points towards a compromise of the

git.php.net server (rather than a compromise of an individual git account).” – Nikita Popov – PHP Internals

PHP is reportedly in 79% of backend website/server code available today and the code injected placed a Remote Code Execution backdoor within a few lines of code available for review on GitHub. Developer by the username “JABirchall” was quick to affirm “This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’” referring to lines 367-370.

ANALYST NOTES

This is a familiar vector if we recall the recent SolarWinds attack. Supply Chain compromise tampering with the code base is a very effective tactic especially within closed source software as demonstrated earlier this year with the SolarWinds Orion attack. With this PHP compromise the open-source community and developers were able to quickly identify the compromise to alert the maintain developers and remedy the situation. Though stated, it was within a few hours, which is plenty of time to pull a commit unwittingly and run software poisoned. With active review of code pulled from source updated, certain issues such as this being Free and Open-Source, are identifiable by Threat Intelligence and Threat Hunt teams and as a result will save man hours working investigation and remediation. This is a monumental task in large enterprise, local, and Federal government operations and can be supported by third party teams easing the burden on internal teams. As a supplement to the team bringing additional experience and proven process Binary Defense offer’s a solution well recognized within the industry.

Commits Affected:
https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d

https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a

https://news-web.php.net/php.internals/113838