PHP language backdoor | Kaspersky official blog

Unknown attackers recently attempted to carry out a large-scale supply-chain attack by introducing malicious code to the official PHP GIT repository. If the developers hadn’t noticed the backdoor in time, it could have ended up on many Web servers and led to the largest supply-chain attack in history.

What happened with PHP

The programmers who develop the PHP language make changes to the code using a common repository built on the GIT version control system. After they implement their additions, the code goes through another review. During a routine check, a developer noticed a suspicious addition that was marked in the comments as a typo correction and added in the name of Nikita Popov, an active PHP developer. Closer examination revealed that it was a backdoor. Popov had authored no such change.

More verification showed that another, similar addition had been uploaded to the repository, this time attributed to Rasmus Lerdorf. Vigilant programmers noticed within hours, so the upcoming PHP 8.1 update (with an anticipated release by the end of the year) will not include the backdoor.

Why the code change was dangerous

A backdoor in the repository could allow attackers to remotely run malicious code on a Web server using the compromised version of PHP. Despite some loss of popularity, PHP remains the most widely used scripting language for Web content, in use by about 80% of Web servers. Although not all administrators update their tools promptly, a fair number keep their servers up to date to comply with internal or external security regulations. If the backdoor had made it into the new version of PHP, it would most likely have spread across the Web servers of many companies.

How the attackers introduced the backdoor

Experts are certain the attack was the result of a vulnerability in the internal Git server, not an issue of compromised developer accounts. In fact, the risk of someone attributing a change to another user has been known for a long time, and after this incident, the PHP support team stopped using the git.php.net server and moved to the GitHub service repository (which was previously just a mirror).

How to stay safe

Development environments are attractive targets for cybercriminals. Once they’ve compromised the code of a software product that customers trust, they can reach multiple targets at once through a supply-chain attack. Millions of users around the world use the most popular projects, so protecting them from outside machinations is especially important.

  • Regularly double-check every code change, even ones supposedly made by eminent and trustworthy programmers;
  • Monitor the security of servers and services used for development;
  • Use specialized online platforms to train employees to detect modern cyberthreats.