Connect with us

Hi, what are you looking for?

Cyber Security

Critical Magento vulnerability targeted in new surge of attacks

Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.

Magento is an open-source e-commerce platform owned by Adobe, used by approximately 170,000 online shopping websites worldwide.

The CVE-2022-24086 vulnerability was discovered and patched in February 2022, when threat actors were already exploiting it in the wild. At the time, CISA published an alert urging site admins to apply the available security update.

A couple of days later, security researchers published a proof-of-concept (PoC) exploit for CVE-2022-24086, opening the road to mass exploitation.

According to a report published by Sansec today, we have reached that stage, with the critical template vulnerability becoming a favorite in the hacker underground.

Three attack variants

Sansec’s analysts have observed three attack variants exploiting CVE-2022-24086 to inject a remote access trojan (RAT) on vulnerable endpoints.

The attacks are interactive because the Magento checkout flow is challenging to automate and may reduce the effectiveness of the attacks.

The first variant begins by creating a new customer account on the target platform using malicious template code in the first and last names and then placing an order.

Part of the injected template code
Part of the injected template code (Sansec)

The injected code decodes to a command that downloads a Linux executable (“223sam.jpg”) which launches in the background as a process. This is the RAT, which phones to a Bulgaria-based server to receive commands.

“This attack method defeats some of the security features of the Adobe Commerce Cloud platform, such as a read-only code base and restricted PHP execution under pub/media,” explains Sansec in the report.

“The RAT has full access to the database and the running PHP processes,… and can be injected on any of the nodes in a multi-server cluster environment.”

The second attack involves the injection of a PHP backdoor (“health_check.php”) by including template code in the VAT field of the placed order.

The code creates a new file (“pub/media/health_check.php”) that accepts commands via POST requests.

Creating the malicious PHP file
Creating the malicious PHP file (Sansec)

Finally, the third attack variation employs template code that executes to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with a malicious, backdoored version.

PHP eval backdoor created in third attack
PHP eval backdoor created in the third attack (Sansec)

The researchers urge Magento 2 site administrators to follow the security guidelines on this support page and upgrade their software to the latest version.

Source: https://www.bleepingcomputer.com/news/security/critical-magento-vulnerability-targeted-in-new-surge-of-attacks/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

Splunk has been reported with a Unauthenticated Log injection vulnerability in the Splunk IT Service Intelligence (ITSI) product. This vulnerability exists in Splunk ITSI versions prior...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO