On Sunday, March 28th, members of the PHP team identified malicious code commits to their interpreter using legitimate developer identities that had been compromised, along with the git.php.net server.
One of the features in the Apiiro Code Risk PlatformTM is the ability to detect and prevent malicious commits to code repositories using UEBA and Anomaly Detection technologies (patent-pending). This capability is based on Machine Learning and Artificial Intelligence algorithms that analyze the behavior of different entities in the organization (e.g., code components, security controls, data types, contributor’s knowledge, organizational behavior, repositories, projects and more).
The algorithms extract dozens of domain-oriented features (including logical, contextual, and time-series features) to build a multi-dimensional characterization of each entity. Various sources are used for the feature extraction. For example, both the metadata and the content of the historical commits, pull requests, and tickets are thoroughly analyzed and their numerical, time-series and textual features are extracted. Another source of data for the algorithms is the historical cross repositories code analysis features produced by our own platform. Once the features are extracted and enriched with our domain expertise, Apiiro builds and trains an adaptive behavioral model in real-time.
In addition to individual models for each entity in the organization, Apiiro’s algorithms train higher-level models, which are used to strengthen the confidence of the detected events. This way we can achieve a high detection rate of malicious activities, while lowering the false detections of irrelevant anomalies. For example, comparing a developer’s behavior to their peer group behavior can shed a light on the legitimacy of an individual’s activity.
Obviously, we cannot publish the malicious activities that were successfully detected by our platform in our client environments; however, a few days ago, while running our platform on the PHP repository, we were able to detect the malicious attack against php-src (the PHP interpreter) - a popular open-source repository in GitHub.
On March 28th at 03:57 AM UTC a malicious commit was pushed to the repository by a legitimate contributor named “rlerdorf” (Rasmus Lerdorf). The malicious piece of code that was added to zlib.c checked the HTTP_USER_AGENTT header (x2T was deliberately used by the attacker) in incoming HTTP packets. If the header started with the string “zerodium“ then the remainder of the string was executed on the server as a PHP code. This way, the attacker was able to inject and run arbitrary PHP code on servers running the updated version of the php-sr code.
Thanks to a responsible PR review by the repository contributors, an investigation of this commit was issued and the malicious code was removed after a couple of hours and before the updated code went online.