Cybercriminals are increasingly trying to exploit a serious template vulnerability in Magento 2 to execute code on unpatched websites.
That’s according to researchers from e-commerce malware detection service Sansec, who said they’ve recently noticed a rise in hacking efforts targeting CVE-2022-24086.
Magento, which was acquired by Adobe in 2019, is one of the most popular e-commerce platforms in the world. It provides widely used e-commerce software on both an open source and a commercial basis.
The Magento Marketplace portal is currently used by thousands of people to buy, sell and download themes and plugins for Magento online stores. However, the popularity of Magento has also led to this platform being constantly targeted by cybercriminals.
CVE-2022-24086 was revealed in February 2022, when Adobe saw it as being exploited by the brute threat in “very limited attacks”.
The bug had a severity score of 9.8 out of 10, and a patch was released within days to address the issue.
Adobe has advised administrators of online stores running 2.4.3-p1 / 2.3.7-p2 and lower versions of Adobe Commerce or Magento Open Source to prioritize processing CVE-2022-24086 and apply the patches as quickly as possible.
CVE-2022-24086 is described as an “incorrect input validation vulnerability during the checkout process” and the researchers warned that it could be exploited without user intervention, potentially leading to arbitrary code execution.
The researchers released a proof-of-concept (PoC) exploit for CVE-2022-24086 a few days after the flaw was discovered, paving the way for its widespread exploitation.
Sansec researchers now claim to have seen three hacking models that attempted to install a remote access trojan (RAT) on vulnerable endpoints by exploiting CVE-2022-24086.
According to the researchers, all the attacks detected were reactive, possibly due to the difficulty in automating the Magento logout sequence.
The three attack variants
The first variant starts with using the malicious template code to create a new customer account on the target platform. An order is being moved forward, which may result in payment failure.
The injected code decodes into a command that downloads and starts a background process of the Linux executable 223sam.jpg.
According to the researchers, this is basically a remote access Trojan (RAT) that stays in memory and connects to a remote server located in Bulgaria to receive further commands.
The database and active PHP processes are fully accessible by RAT.
The second attack variant attempts to render the health_check.php backdoor by including the template code in the VAT field of the submitted request.
With POST requests, the code creates a new file that accepts more commands.
In the third attack variant, the template code is implemented to replace “Build/Code/Magento/Framework/Application/FrontController/Interceptor.php” with malicious code.
In the end, the malware is executed every time a Magento page request is made.
In order to protect their websites from attacks, researchers now advise Magento 2 webmasters to update their software to the latest version.
FishPig هجوم Attack
The announcement comes days after Sansec researchers warned that cybercriminals were planting malware in servers belonging to online retailers after breaking into FishPig’s server infrastructure.
FishPig is a developer of Magento-WordPress integration software with over 200,000 downloads.
Sansec said the attackers injected malware into the FishPig Magento Security Suite and several other FishPig extensions for Magento 2, to gain access to websites that use the products. The injected malware later installs a RAT tool – dubbed Rekoobe – which hides on the server as a background process.
When Rekoobe is activated, it provides a reverse shell that enables the attacker to remotely instruct the compromised server.
#Magento #critical #bug #attacks