Critical Magento bug used in fresh round of attacks

Cybercriminals are increasingly attacking a critical Magento vulnerability. Image via iStock.

Image:
Cybercriminals are increasingly attacking a critical Magento vulnerability. Image via iStock.

Improper input validation vulnerability has a CVSS score of 9.8 out of 10

Cybercriminals are increasingly attempting to exploit a critical template vulnerability in Magento 2 to execute code on unpatched websites.

That's according to the researchers from eCommerce malware detection service Sansec, who say they recently observed a spike in hacking efforts aimed at CVE-2022-24086.

Magento, which was acquired by Adobe in 2019, is one of the most popular e-commerce platforms in the world. It provides widely used e-commerce software on both an open source and commercial basis.

Magento Marketplace portal is currently used by thousands of people to buy, sell, and download themes and plugins for Magento-based online stores. However, the popularity of Magento has also led to this platform being persistently targeted by cyber criminals.

CVE-2022-24086 was uncovered in February 2022, when Adobe saw it being exploited in the wild threat actors in 'very limited attacks.'

The flaw received a severity score of 9.8 out of 10, and a patch was released within days to address the issue.

Adobe advised admins of online stores running versions 2.4.3-p1/2.3.7-p2 and below of Adobe Commerce or Magento Open Source to prioritise addressing CVE-2022-24086 and to apply the patches as soon as possible.

CVE-2022-24086 is described as 'an improper input validation vulnerability during the checkout process' and researchers warned that it could be exploited without user interaction, potentially leading to arbitrary code execution.

Researchers released a proof-of-concept (PoC) exploit for CVE-2022-24086 a few days after the flaw was discovered, paving the way for its widespread exploitation.

Researchers from Sansec now claim to have seen three template hacks that attempted to install a Remote Access Trojan (RAT) on vulnerable endpoints by exploiting CVE-2022-24086.

All the detected attacks have been interactive, according to researchers, possibly because the Magento checkout sequence is particularly difficult to automate.

The three attack variants

The first variant begins by utilising malicious template code to create a new customer account on the target platform. It proceeds with placing an order, which might lead to a failed payment.

The injected code decodes to a command that downloads and starts a background process for the Linux executable 223sam.jpg.

According to researchers, this is basically a remote access Trojan (RAT) that stays in memory and communicates with a remote server located in Bulgaria to receive further commands.

The database and active PHP processes are both fully accessible to the RAT.

The second attack variant tries to introduce a health_check.php backdoor by including template code in the VAT field of the placed order.

Using POST requests, the code generates a new file that accepts further commands.

In the third attack variant, the template code executes to substitute "generated/code/Magento/Framework/App/FrontController/Interceptor.php" with a malicious code.

Eventually, the malware is executed every time a Magento page request is made.

In order to protect their websites from attacks, the researchers are now advising Magento 2 site admins to update their software to the most recent version.

The FishPig attack

The announcement comes days after Sansec researchers warned that cybercriminals were implanting malware in servers belonging to online retailers after breaking into the server infrastructure of FishPig.

FishPig is a developer of Magento-WordPress integrations software with more than 200,000 downloads.

Sansec said attackers had injected malware in the FishPig Magento Security Suite and several other FishPig extensions for Magento 2, to gain access to websites using the products. The injected malware later installed a RAT - dubbed Rekoobe - which hides on the server as a background process.

When Rekoobe is activated, it provides a reverse shell that enables the attacker to remotely instruct the compromised server.