Researchers from cybersecurity firm Sansec uncovered a massive Magecart campaign that already compromised more than 500 online stores running the Magento 1 eCommerce platform.
Threat actors behind this campaign deployed a digital skimmer that was being loaded from the naturalfreshmall(.)com domain.
An interesting characteristic of this attack is the combination of SQL injection and PHP object injection to take over the Magento store.
“Last week Sansec detected a mass breach of over 500 stores running the Magento 1 ecommerce platform. All stores were victim of a payment skimmer loaded from the naturalfreshmall.com
domain. We invited victims to reach out to us, so we could find a common point of entry and protect other merchants against a potentional new attack.” reads the analysis published by Sansec. “The first investigation is now completed: attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store.”
The attack chain starts with the exploitation of a known vulnerability in the Quickview plugin that allowed attackers to inject rogue admin users into vulnerable Magento stores. In the cases investigated by the experts, the attackers exploited the vulnerability to add a validation rule to the customer_eav_attribute table.
The added validation rule contains a POI payload used to trick the host application into crafting a malicious object.
“In this case Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used to create a file called api_1.php with a simple backdoor eval($_POST[‘z’]).” reported the analysis.
Using this attack scheme, by using the validation rules for new customers, the attacker can trigger an unserialize and the execution of the backdoor by simply browsing the Magento sign up page.
Then the attacker will be able to run any PHP code via the api_1.php backdoor.
Experts pointed out the attackers installed no less than 19 backdoors on the system. To sanitize the system it will be necessary to remove each and every one of them to prevent re-infection.
Sansec has published Indicators of Compromise for this campaign, including a list of files dropped on compromised systems and the IPs that were implicated in this campaign.
The root cause of these attack is the use of Magento 1 platform that has reached End-of-Life and that for this reason will no longer receive security updates.
“While the Magento 1 platform has been declared End-Of-Life by Adobe, thousands of professional merchants are still using it. As Adobe does not provide security patches anymore, we recommend to take extra measures to keep your store safe. Monitoring for malware is vital (such as with our ecomscan scanner). Also, there are community-provided patches available for Magento 1.” concludes the report. “Either open-source via OpenMage or with commercial support via Mage-One.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Magecart attacks)
[adrotate banner=”5″]
[adrotate banner=”13″]