Magento Flaw Exploited in the Wild a few hours after disclosure

Sucuri revealed that cyber criminals are attempting to hijack online shops based on Magento platform by exploiting a recently disclosed critical flaw.

According to the security experts at Sucuri firm, within 24 hours after the disclosure of the vulnerability in Magento platform, bad actors are already attempting to hack e-commerce websites using it. The experts traced back the attacks to a couple of Russian IP addresses (62.76.177.179 and 185.22.232.218).

"62.76.177.179 – – [23/Apr/2015:00:45:44 -0400] “POST /index.php/admin/Cms_Wysiwyg/[HIDDEN] HTTP/1.1″ 403 1880 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36″

185.22.232.218 – – [22/Apr/2015:00:42:38 -0400] “POST /index.php/admin/Cms_Wysiwyg/[HIDDEN] HTTP/1.1″ 200 2211 “-” “Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0″

In January, researchers at CheckPoint firm discovered a flaw in Magento, dubbed “Shoplift bug,” which opens the vulnerable websites to cyber attacks. The experts explained that exploiting the authentication bypass flaw (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399), the attackers can execute arbitrary PHP code on the affected servers.

On February 9 2015, Magento released an update to fix  the vulnerability, but according to a blog post published by Check Point, more than 50% of Magento websites are still vulnerable.

The experts at Sucuri detailed the attack scenario, the hackers can exploit the SQL injection vulnerability to create admin accounts on the vulnerable platform. The administrator accounts created by the threat actors are named vpwq or defaultmanager.

“The code is leveraging SQL Injection (SQLi) and inserting a new admin_user to the database. If you suspect you have been compromised, look for the usernames vpwq or defaultmanager as it seems to be the ones being used by this specific group so far.” states the blog post published by Sucuri.

The Byte company that specializes in Magento hosting, reported that roughly 140,000 websites were still vulnerable last week, the number of unpatched Magento platforms is nearly 100,000.

It is important to note that by exploiting the Shoplift bug, the attackers could take full control of affected Magento websites and steal sensitive data, including payment card data.

“The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” states Check Point. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

Below the video POC published by the Check Point to demonstrate how an attacker could exploit the remote code execution vulnerability to modify the price of an object.

Pierluigi Paganini

(Security Affairs –  Magento, hacking)