Online shopping sites have been targeted for years by a class of attacks known as Magecart, and now, e-commerce sites using Adobe's Magento 2 software are the latest target of an ongoing campaign that has been active since at least January 2023.
Online shopping sites have been targeted for years by a class of attacks known as Magecart, and now, e-commerce sites using Adobe's Magento 2 software are the latest target of an ongoing campaign that has been active since at least January 2023.
According to a report by Akamai, the attacks, dubbed Xurum, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.
"The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.
The researchers observed that some of the websites have also been infected with simple JavaScript-based skimmers that's designed to collect credit card information and transmit it to a remote server. The exact scale of the campaign remains unclear.
In the attack chains observed by the company, CVE-2022-24086 is weaponized for initial access, subsequently exploiting the foothold to execute malicious PHP code that gathers information about the host and drops a web shell named wso-ng that masquerades as a Google Shopping Ads component.
Not only is the web shell backdoor run in memory, it also activated only when the attacker sends the cookie "magemojo000" in the HTTP request, after which information about the sales order payment methods in the past 10 days is accessed and exfiltrated.
The attacks culminate with the creation of a rogue admin user with the name "mageworx" (or "mageplaza") in what appears to be a deliberate attempt to camouflage their actions as benign, for the two monikers refer to popular Magento 2 extension stores.
The wso-ng web shell is said to be an evolution of the WSO web shell, incorporating a new hidden login page to steal credentials entered by victims. It further integrates with legitimate tools like VirusTotal and SecurityTrails to glean the infected machine's IP reputation
Sources: https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html