Hackers Tried To Backdoor Code Used by 80% of All Websites

Unknown attackers tried to compromise the source code of the PHP programming language in what would have been a dangerous supply chain hack.
March 29, 2021, 3:06pm
php-code
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

UPDATE, April 8, 10:21 p.m. ET: Popov wrote in a mailing list message on April 6 that him and his colleagues now believe the hackers may have compromised the PHP user database, rather that the server used to develop PHP’s code.

“We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked,” Popov wrote.

Advertisement

The original story follows below.


Hackers broke into the internal code repository of the PHP programming language and tried to backdoor the source code in a brazen attempt to hack the internet's supply chain. 

PHP is used to program the servers behind almost 80 percent of websites on the internet, which means that this attack, if it had gone undetected, could have given the hackers the ability to take control of thousands of sites. 

One of the PHP core developers disclosed the breach on the programming language's official mailing list on Sunday night, and the news was first reported by Bleeping Computer

The hackers uploaded two pieces of malicious code as part of a commit to the PHP code base using the names of two core PHP developers, Rasmus Lerdorf and Nikita Popov, the developer who disclosed the breach. 

"We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account)," Popov wrote. 

Advertisement

Popov also announced that the PHP project would now move to Github rather than use its own internal code repository. 

"We have decided that maintaining our own git infrastructure is an unnecessary security risk," he added in the breach announcement. 

Do you have information on this data breach or other data breaches? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

As cybersecurity expert Martijn Grooten pointed out on Twitter, this may be one of the key takeaways from this failed supply chain attack.

"Running your own stuff in 2021 is hard," he wrote.

The malicious code mentioned Zerodium, a notorious broker of zero-days. It's unclear why the hackers included the company's name in the malicious code, but according to Zerodium's founder and CEO, this was just a joke.

What Is a 'Supply Chain Attack?'

"Cheers to the troll who put 'Zerodium' in today's PHP git compromised commits. Obviously, we have nothing to do with this," Chaouki Bekrar wrote on Twitter. "Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun." 

Popov wrote that the investigation into this breach "is still underway" and that developers are checking that the hackers didn't make any other malicious changes. 

Motherboard reached out to Popov asking for comment, and we will update this story when he gets back to us. 

Subscribe to our cybersecurity podcast CYBER, here.