On August 9, 2023, Akamai researchers reported a campaign they dubbed “Xurum,” which leverages the “patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.”
Key takeaways from the Akamai report include:
- “We have observed activity in this campaign since at least January 2023. The attacker seems to be interested in payment stats from the orders in the victim’s Magento store placed in the past 10 days.
- The attacker registers a new Magento component and masks it as “GoogleShoppingAds.”
- The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component.
- The web shell login page masquerades as an error page containing a hidden login form that attempts to glean victim credentials.
- The attacker creates a backdoor admin user in Magento, named “mageplaza” or “mageworx,” as another deception trick as those are the names of the popular Magento extensions stores.
- The attacker uses the older Dirty COW exploit (CVE-2016-5195) to attempt privilege escalation within Linux.
- Evidence indicates Russian origins for this threat.
Malware hosting domain