Malicious actors are attempting to hijack online shops by exploiting a recently disclosed critical vulnerability in Magento, the popular e-commerce platform owned by eBay.
According to Sucuri, the attacks, traced back to a couple of Russian IP addresses, started within 24 hours after the details of the vulnerability were published by researchers.
The security hole identified and reported by Check Point researchers in January, dubbed the “Shoplift bug,” is comprised of a chain of vulnerabilities that can be exploited by a remote attacker to execute PHP code on affected servers. The flaws are an authentication bypass (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399).
In the attacks spotted by Sucuri, the attackers are exploiting the SQL injection vulnerability to create admin accounts, which they will likely leverage at a later time to hijack the affected Magento-powered shops. The administrator accounts created by the malicious actors are named vpwq or defaultmanager, experts said.
Magento released an update to address the vulnerability on February 9. However, last week, just days before Check Point published a blog post detailing its findings, more than 50% of Magento websites had still not been patched.
Byte, a Dutch company that specializes in Magento hosting, reported that roughly 140,000 websites had been vulnerable as of April 14. On Thursday, Byte reported that there had still been nearly 100,000 unpatched websites.
While so far it seems that the Shoplift bug has only been exploited to create admin accounts, experts warn that malicious actors could leverage it to take full control of affected websites and steal customer information, including payment card data.
“The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point researchers explained. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”
The security firm has published a video to demonstrate how an attacker could exploit the remote code execution vulnerability to significantly lower the price of an expensive item.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
Latest News
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
