On Sunday evening the PHP team reported that someone had tried to create a backdoor into the popular project. They tried to sneak in two malicious commits but alert devs thwarted the attempts. It’s not clear who wanted to do this.
What is PHP?
This makes the PHP project, which makes the server interpreter that runs this software, an important scalp. Their wider usage dwarfs that of Solar Winds which was leveraged by unknown hackers last year to do extensive breaches into the US government’s and a host of other companies’ servers.
If a hacker manages to sneak in malicious code into the PHP interpreter the world becomes their oyster, the damage they can do is incalculable. They would be able to get into pretty much any network on earth including big companies like Apple, Google. The value of such a coup would be worth billions-possibly more.
How the breach happened
It’s not clear how this happened, but those who run the PHP project suspect the hackers got into the project by hacking into the server on which the PHP project is hosted. They then attempted to sneak in their malicious code by impersonating some respected members of the PHP contributor community and attempting to disguise their code commits as minor “typo” fixes.
The PHP project was using its own private server to host the project but after the breach, they have decided to switch over to Microsoft owned GitHub. They already use a piece of software known as Git to keep track of changes made to the PHP software, so the switch to GitHub will have minimum impact, but it will enhance security.
FOSS vigilance killed the breach in it’s crib
PHP is Free and Open Source Software which is also widely developed and reviewed, so it’s unlikely this breach was ever going to work, and it seems whoever did this had a feeling but they tried anyway. The malicious code is not even disguised maybe somebody just wanted to see how long it would take people to identify the code.
However, even such unsophisticated breaches can be leveraged to do widespread damage as illustrated in the Solar Winds attack. It’s possible that a badly secured server was easily breached as part of the attack vector. In the end substantial damage was done.
In this case the attack took place in public view there was slim chance of the attacker getting away with it. Using Git you can easily tell which lines of code have been added/changed or deleted. Not even trusted members of the community can circumvent that. What if one of them was paid by a malicious actor to sneak it a backdoor? Paranoia drives the FOSS community and the feeble commit was rolled back quickly. The malicious actor attempted to reintroduce the back door again.
Nothing to worry about
Ultimately the attack ended before it even began if we can even call it an attack. However, the whole incident highlights the value of FOSS. It also shows how you need to be vigilant with every piece of software you deploy as an organization. Every mundane thing you install can be turned into a weapon.
You need to guard your security jealously and make sure you do your own audits. Just because something is popular doesn’t mean it’s safe. It actually means that it’s a potential target-a very valuable potential target.