Ecommerce stores utilizing Adobe’s open source Magento 2 software have become the target of an ongoing exploitation campaign stemming from a critical vulnerability, which had been addressed through a patch on February 13, 2022.
Akamai security researchers have uncovered a server-side template injection campaign focused on Magento 2 shops that have neglected to address CVE-2022-24086, a severe input validation flaw boasting a CVSS score of 9.8. Maxim Zavodchik, Akamai’s Director of Threat Research, expressed the challenge faced by businesses in adequately identifying assets and promptly patching vulnerabilities, highlighting how even older CVEs are leveraged by threat actors for initial site and network access.
This campaign, initiated in January 2023 and detailed in a collaborative blog post by Zavodchik and fellow Akamai researchers, Ron Mankivsky, Dennis German, Chen Doytshman, and Tricia Howard, has shown a particular interest in recent payment statistics from orders within the victim’s Magento store.
While perhaps not entirely unexpected, this threat adds to a larger landscape of targeted attacks on Magento shops that has persisted since 2015. The malicious actors behind these campaigns, collectively referred to as Magecart due to their specialization in targeting Magento shopping carts, employ various malware techniques like JavaScript data skimming to intercept and pilfer transaction data from ecommerce websites.
Dubbed “Xurum” by Akamai, the latest campaign’s name evolved following the exposure of the attacker’s command-and-control server in the researchers’ report. Akamai acknowledges challenges in quantifying the extent of impact on Magento stores, as it strives to thwart incoming attacks, while also highlighting the intricacies of the attack’s execution. The malicious payload’s distribution was attempted through multiple IP addresses associated with service providers Hetzner in Germany and Shock Hosting in the United States.
Two distinct payload variants were employed, each designed to exploit the CVE-2022-24086 vulnerability and exfiltrate data, with the second variant utilizing obfuscated PHP code executed via the shell_exec function.
The campaign underscores the persistent exploitation of older vulnerabilities, shedding light on the alarming reality that even well-disclosed flaws continue to be exploited over time due to the challenges businesses face in maintaining comprehensive patching and security practices.
