In September 2022, Sansec researchers warned of a surge in hacking attempts targeting a critical Magento 2 vulnerability tracked as CVE-2022-24086.
Magento is a popular open-source e-commerce platform owned by Adobe, which is used by hundreds of thousands of e-stores worldwide.
In February, Adobe rolled out security updates to address the critical CVE-2022-24086 flaw affecting its Commerce and Magento Open Source products, at the time, the company confirmed it was actively exploited in the wild.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.
The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.
The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.
The vulnerability affects the following versions of the products:
|Adobe Commerce||2.4.3-p1 and earlier versions||All|
|2.3.7-p2 and earlier versions||All|
|Magento Open Source||2.4.3-p1 and earlier versions||All|
|2.3.7-p2 and earlier versions||All|
Adobe Commerce 2.3.3 and lower are not affected by this vulnerability.
A few days after its disclosure, Positive Technologies researchers created a working PoC exploit for the vulnerability.
Unfortunately, despite Adobe has addressed the issue earlier this year, roughly one-third of existing Magento and Commerce stores have yet to install the security updates.
Now Sansec researchers warn that at least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento and Adobe Commerce websites in November. TrojanOrders are orders that are injected by exploiting a critical vulnerability in Magento stores.
“After a quiet summer, the number of attacks targeting the mail template vulnerability in Magento 2 and Adobe Commerce is rising fast. Merchants and developers should be on the lookout for TrojanOrders: orders that exploit a critical vulnerability in Magento stores.” reads the report published by the experts “The trend in recent weeks paints a grim picture for ecommerce DevOps teams worldwide for the coming weeks.”
The attack chain is simple, the attackers first attempt to to trigger the system to send an email inserting the exploit code in one of the fields. The email is triggered by placing an order, but experts also observed other triggers using the “sign up as customer” or “share a wishlist” functionalities.
Usually the backdoor is hidden in the file health_check.php, which is a legitimate Magento component.
Over the past several weeks, Sansec spotted seven different attack vectors, a data that suggests that at least seven Magecart groups now actively trying TrojanOrders on Magento 2 websites.
“Developing an attack route is difficult and expensive. Once a group has a working exploit (attack vector), they keep on using it unless it ceases to be effective.” continues the report. “There is a big increase of active scanning for the file that contains the backdoor (health_check.php). This is a sign of attacker groups are trying to take over infected sites from other groups.”
The spike in attacks could be caused by the availability of low-cost exploit kits on hacking forums, a high success rate of past attacks, and timing (Between October and December e-commerce sites are under pressure because it is the period with major revenue.).
“The more orders, the easier it is to overlook a TrojanOrder. Some merchants may get alerted by a strange order in their sales panel, but most staff will ignore it. November is the perfect month to execute this attack because of the high volume of transactions.” Sansec continues.
Experts urge site admins to look for suspicious orders, as well as to scan their website for malicious code.
“The first visible sign is a suspicious new customer record or transaction. Seeing customers pop up with names or addresses like “system” or “pwd”? Orders made by email@example.com? Most likely, this is a TrojanOrder, and Sansec recommends inspecting your system as soon as possible.” concludes the report.
(SecurityAffairs – hacking, Magento)