eCommerce Sites Targeted in Active Campaign via Magento 2 Exploit

An ongoing campaign is targeting ecommerce sites with digital skimmers via a critical CVE.

Context

On August 9, 2023, Akamai researchers reported a campaign they dubbed “Xurum,” which leverages the “patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.”

Technical Details

Key takeaways from the Akamai report include:

  • “We have observed activity in this campaign since at least January 2023. The attacker seems to be interested in payment stats from the orders in the victim’s Magento store placed in the past 10 days.
  • The attacker registers a new Magento component and masks it as “GoogleShoppingAds.”
  • The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component.
  • The web shell login page masquerades as an error page containing a hidden login form that attempts to glean victim credentials.
  • The attacker creates a backdoor admin user in Magento, named “mageplaza” or “mageworx,” as another deception trick as those are the names of the popular Magento extensions stores.
  • The attacker uses the older Dirty COW exploit (CVE-2016-5195) to attempt privilege escalation within Linux.
  • Evidence indicates Russian origins for this threat.
  • Some of the websites involved in this campaign were observed to be infected with simple JavaScript-based skimmers with no attempt to obfuscate or hide its existence.”

IOCs

Indicator

Type

104[.]36[.]229[.]168

Attacking IP

95[.]216[.]95[.]178

Attacking IP

95[.]216[.]94[.]99

Attacking IP

65[.]21[.]85[.]21

Attacking IP

xurum[.]com

Malware hosting domain

/var/www/html/vendor/magento/google-shopping-ads/registration[.]php

File name

mageworx

Magento user

mageplaza

Magento user

developer@mageplazza[.]com

Email address

support@magaworx[.]com

Email address

More Recent Blog Posts