Official forum for Utopia Community
You are not logged in.
An ongoing campaign that has been going on since at least January 2023 is aimed at e-commerce websites that use Adobe's Magento 2 platform.
The attacks, code-named "Xurum" by Akamai, take advantage of a critical security hole that has since been patched (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source, which, if exploited, could result in arbitrary code execution.
Researchers from Akamai said in an analysis released last week that the campaign was carried out by actors with Russian ancestry.
"The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," they wrote.
Simple JavaScript-based skimmers that are intended to gather credit card information and send it to a distant server have also been found to be infected on some of the websites. Uncertainty exists regarding the campaign's precise scope.
In the attack chains that the company has seen, CVE-2022-24086 is weaponized for initial access, and after exploiting the foothold, malicious PHP code that gathers host information and drops a web shell named wso-ng that poses as a Google Shopping Ads component is executed.
In addition to running in memory, the web shell backdoor is only activated when an attacker sends the cookie "magemojo000" in an HTTP request. At that point, data regarding sales order payment methods from the previous 10 days is accessed and exfiltrated.
The attacks culminate with the creation of a rogue admin user named "mageworx" (or "mageplaza") in what appears to be an intentional effort to conceal their actions as benign, as the two names refer to well-known Magento 2 extension stores.
The WSO web shell is said to have evolved into wso-ng, which includes a new covert login page that allows hackers to steal victims' credentials. To learn more about other domains hosted on the same server and to gather information about the IP reputation of the infected machine, it further integrates with trustworthy tools like VirusTotal and SecurityTrails.
A class of attacks known as Magecart have been targeting online shopping sites for years with the aim of collecting payment information from victims by inserting skimmer code into checkout pages.
Instead of randomly dispersing their exploits across the internet, the attackers "have shown a meticulous approach, targeting specific Magento 2 instances," the researchers said.
They exhibit a high level of Magento expertise and devote a lot of time to learning about its internal workings, putting together an attack infrastructure, and testing their exploits on actual targets. ".
Offline
The Xurum campaign underscores the critical importance of promptly patching known vulnerabilities in e-commerce platforms like Magento 2. Merchants must stay vigilant and ensure their systems are up to date to mitigate the risk of such sophisticated attacks.
Offline
The involvement of actors with Russian ancestry raises questions about potential geopolitical motivations behind the Xurum campaign. It's crucial for cybersecurity experts and law enforcement agencies to delve deeper into the origins and intentions of these attacks."
Offline
The use of simple JavaScript-based skimmers highlights the evolving tactics of cybercriminals in targeting e-commerce websites. This calls for enhanced detection and mitigation strategies to safeguard sensitive payment information.
Offline
The precise scope of the Xurum campaign remains uncertain, underscoring the challenges in tracking and attributing cyber attacks effectively. Cooperation among security researchers, industry stakeholders, and law enforcement agencies is essential to combatting such threats
Offline