Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magento Vulnerability Increasingly Exploited to Hack Online Stores

E-commerce malware and vulnerability detection firm Sansec warns of a surge in cyberattacks targeting CVE-2022-24086, a critical mail template vulnerability affecting Adobe Commerce and Magento stores.

E-commerce malware and vulnerability detection firm Sansec warns of a surge in cyberattacks targeting CVE-2022-24086, a critical mail template vulnerability affecting Adobe Commerce and Magento stores.

Adobe released emergency patches for CVE-2022-24086 (CVSS score of 9.8) in February 2022, warning the owners and administrators of online stores that the security issue was already being exploited in attacks.

Days later, Adobe updated its advisory, confirming that the available patches had been bypassed and that a new CVE identifier had been assigned to the flaw, namely CVE-2022-24087. Proof-of-concept (PoC) code targeting the bug was also published around the same time.

The bug is described as an improper input validation flaw in the checkout process, which could be exploited without authentication to achieve arbitrary code execution.

Although nine months have passed since fixes were released, roughly one-third of existing Magento and Commerce stores have not applied them, meaning that they are exposed to ongoing exploitation attempts.

Sansec says it has observed an uptick in TrojanOrder attacks that are exploiting this mail template vulnerability to take over vulnerable Magento 2 stores.

As part of the observed attacks, threat actors first probe Magento and Adobe Commerce stores, attempting to trigger the system to send an email, with exploit code in one field.

Observed triggers include placing an order, registering as a customer, or sharing a wishlist. Should the probe be successful, the attackers then attempt to take over the vulnerable website.

Once the e-store has been compromised, the attackers install a remote access trojan (RAT) to ensure they have permanent access even after the system has been patched. Most often, the backdoor was hidden in the file health_check.php.

Over the past several weeks, Sansec has noticed that the threat actors have developed seven attack vectors targeting this vulnerability.

“Seven attack vectors means at least seven Magecart groups now actively trying TrojanOrders on Magento 2 websites. Developing an attack route is difficult and expensive. Once a group has a working exploit (attack vector), they keep on using it unless it ceases to be effective,” Sansec says.

Moreover, the e-commerce protection firm has seen an increase in scanning for the health_check.php file, which suggests that attack groups might be trying to take over already infected sites.

The increase in attacks, Sansec says, might be the result of the emergence of low-cost exploit kits, a high success rate of previous attacks, and timing (e-commerce sites are typically very busy in October, November, and December).

“The more orders, the easier it is to overlook a TrojanOrder. Some merchants may get alerted by a strange order in their sales panel, but most staff will ignore it. November is the perfect month to execute this attack because of the high volume of transactions,” Sansec notes.

With most Magento and Adobe Commerce websites exposed to this vulnerability, chances are that some stores were patched after being compromised.

Site owners and administrators are advised to look for suspicious orders, such as those made by customers named ‘system’ or ‘pwd’, or by a specific email address, as well as to scan their website for backdoor code.

Related: Malware Infects Magento-Powered Stores via FishPig Distribution Server

Related: CISA Urges Organizations to Patch Recent Chrome, Magento Zero-Days

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.