Official forum for Utopia Community
You are not logged in.
An ongoing campaign that has been going on since at least January 2023 is aimed at e-commerce websites that use Adobe's Magento 2 platform.
The attacks, code-named "Xurum" by Akamai, take advantage of a critical security hole that has since been patched (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source, which, if exploited, could result in arbitrary code execution.
Researchers from Akamai said in an analysis released last week that the campaign was carried out by actors with Russian ancestry.
"The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," they wrote.
Simple JavaScript-based skimmers that are intended to gather credit card information and send it to a distant server have also been found to be infected on some of the websites. Uncertainty exists regarding the campaign's precise scope.
In the attack chains that the company has seen, CVE-2022-24086 is weaponized for initial access, and after exploiting the foothold, malicious PHP code that gathers host information and drops a web shell named wso-ng that poses as a Google Shopping Ads component is executed.
In addition to running in memory, the web shell backdoor is only activated when an attacker sends the cookie "magemojo000" in an HTTP request. At that point, data regarding sales order payment methods from the previous 10 days is accessed and exfiltrated.
The attacks culminate with the creation of a rogue admin user named "mageworx" (or "mageplaza") in what appears to be an intentional effort to conceal their actions as benign, as the two names refer to well-known Magento 2 extension stores.
The WSO web shell is said to have evolved into wso-ng, which includes a new covert login page that allows hackers to steal victims' credentials. To learn more about other domains hosted on the same server and to gather information about the IP reputation of the infected machine, it further integrates with trustworthy tools like VirusTotal and SecurityTrails.
A class of attacks known as Magecart have been targeting online shopping sites for years with the aim of collecting payment information from victims by inserting skimmer code into checkout pages.
Instead of randomly dispersing their exploits across the internet, the attackers "have shown a meticulous approach, targeting specific Magento 2 instances," the researchers said.
They exhibit a high level of Magento expertise and devote a lot of time to learning about its internal workings, putting together an attack infrastructure, and testing their exploits on actual targets. ".
Online