E-commerce malware and vulnerability detection firm Sansec warns of a surge in cyberattacks targeting CVE-2022-24086, a critical mail template vulnerability affecting Adobe Commerce and Magento stores.
Adobe released emergency patches for CVE-2022-24086 (CVSS score of 9.8) in February 2022, warning the owners and administrators of online stores that the security issue was already being exploited in attacks.
Days later, Adobe updated its advisory, confirming that the available patches had been bypassed and that a new CVE identifier had been assigned to the flaw, namely CVE-2022-24087. Proof-of-concept (PoC) code targeting the bug was also published around the same time.
The bug is described as an improper input validation flaw in the checkout process, which could be exploited without authentication to achieve arbitrary code execution.
Although nine months have passed since fixes were released, roughly one-third of existing Magento and Commerce stores have not applied them, meaning that they are exposed to ongoing exploitation attempts.
Sansec says it has observed an uptick in TrojanOrder attacks that are exploiting this mail template vulnerability to take over vulnerable Magento 2 stores.
As part of the observed attacks, threat actors first probe Magento and Adobe Commerce stores, attempting to trigger the system to send an email, with exploit code in one field.
Observed triggers include placing an order, registering as a customer, or sharing a wishlist. Should the probe be successful, the attackers then attempt to take over the vulnerable website.
Once the e-store has been compromised, the attackers install a remote access trojan (RAT) to ensure they have permanent access even after the system has been patched. Most often, the backdoor was hidden in the file health_check.php.
Over the past several weeks, Sansec has noticed that the threat actors have developed seven attack vectors targeting this vulnerability.
“Seven attack vectors means at least seven Magecart groups now actively trying TrojanOrders on Magento 2 websites. Developing an attack route is difficult and expensive. Once a group has a working exploit (attack vector), they keep on using it unless it ceases to be effective,” Sansec says.
Moreover, the e-commerce protection firm has seen an increase in scanning for the health_check.php file, which suggests that attack groups might be trying to take over already infected sites.
The increase in attacks, Sansec says, might be the result of the emergence of low-cost exploit kits, a high success rate of previous attacks, and timing (e-commerce sites are typically very busy in October, November, and December).
“The more orders, the easier it is to overlook a TrojanOrder. Some merchants may get alerted by a strange order in their sales panel, but most staff will ignore it. November is the perfect month to execute this attack because of the high volume of transactions,” Sansec notes.
With most Magento and Adobe Commerce websites exposed to this vulnerability, chances are that some stores were patched after being compromised.
Site owners and administrators are advised to look for suspicious orders, such as those made by customers named ‘system’ or ‘pwd’, or by a specific email address, as well as to scan their website for backdoor code.
Related: Malware Infects Magento-Powered Stores via FishPig Distribution Server
Related: CISA Urges Organizations to Patch Recent Chrome, Magento Zero-Days
Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores
