Magento Flaw Exploited in the Wild a few hours after disclosure

Sucuri revealed that cyber criminals are attempting to hijack online shops based on Magento platform by exploiting a recently disclosed critical flaw.

According to the security experts at Sucuri firm, within 24 hours after the disclosure of the vulnerability in Magento platform, bad actors are already attempting to hack e-commerce websites using it. The experts traced back the attacks to a couple of Russian IP addresses (62.76.177.179 and 185.22.232.218).

"62.76.177.179 – – [23/Apr/2015:00:45:44 -0400] “POST /index.php/admin/Cms_Wysiwyg/[HIDDEN] HTTP/1.1″ 403 1880 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36″

185.22.232.218 – – [22/Apr/2015:00:42:38 -0400] “POST /index.php/admin/Cms_Wysiwyg/[HIDDEN] HTTP/1.1″ 200 2211 “-” “Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0″

In January, researchers at CheckPoint firm discovered a flaw in Magento, dubbed “Shoplift bug,” which opens the vulnerable websites to cyber attacks. The experts explained that exploiting the authentication bypass flaw (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399), the attackers can execute arbitrary PHP code on the affected servers.

On February 9 2015, Magento released an update to fix the vulnerability, but according to a blog post published by Check Point, more than 50% of Magento websites are still vulnerable.

The experts at Sucuri detailed the attack scenario, the hackers can exploit the SQL injection vulnerability to create admin accounts on the vulnerable platform. The administrator accounts created by the threat actors are named vpwq or defaultmanager.

“The code is leveraging SQL Injection (SQLi) and inserting a new admin_user to the database. If you suspect you have been compromised, look for the usernames vpwq or defaultmanager as it seems to be the ones being used by this specific group so far.” states the blog post published by Sucuri.

The Byte company that specializes in Magento hosting, reported that roughly 140,000 websites were still vulnerable last week, the number of unpatched Magento platforms is nearly 100,000.

It is important to note that by exploiting the Shoplift bug, the attackers could take full control of affected Magento websites and steal sensitive data, including payment card data.

“The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” states Check Point. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

Below the video POC published by the Check Point to demonstrate how an attacker could exploit the remote code execution vulnerability to modify the price of an object.

Pierluigi Paganini

(Security Affairs – Magento, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.