Adobe has urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security firm Sansec detected a massive breach of more than 500 stores running the platform.
In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020.
“We continue to encourage merchants to upgrade to the latest version of Adobe Commerce to benefit from the latest security, flexibility, extensibility and scalability,” a spokesperson for Adobe Commerce said. Adobe.
“At a minimum, we recommend that Magento Open Source merchants on Magento 1 upgrade to the latest version of Magento Open Source (based on Magento 2), to which Adobe contributes key security updates.”
On Tuesday, Sansec released a report revealing that hundreds of stores fell victim to a payment skimmer loaded from the naturalfreshmall.com domain.
“We invited victims to contact us, in order to find a common entry point and protect other merchants from a possible new attack. The first investigation is now complete: the attackers used a clever combination of a SQL Injection (SQLi) and PHP Object Injection (POI) to take over the Magento store,” the researchers explained.
“The attackers abused a (known) leak in the Quickview plugin. Although this is usually abused to inject dishonest Magento admin users, in this case the attacker used the flaw to execute code directly on the server.”
In their review of one attack, researchers found that the threat actor left 19 backdoors on the system. They recommended victims to use a malware scanner to identify any instances of malicious files or Magento code to which malicious code has been added.
Sansec noted that even though Adobe ended support for Magento, thousands of businesses are still using it.
Magento has long been a source of problems for Adobe and the online merchants that use it. In November, the National Cyber Security Center (NCSC) identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit payment page vulnerabilities to hijack payments and steal details.
The majority of online stores exploited by cybercriminals for payment skimming attacks were compromised by known vulnerabilities in the Magento e-commerce platform. In February 2021, Magento received a slew of security patches from Adobe. Specifically, Magento Commerce and Magento Open Source across all platforms suffered a total of 18 bugs, ranging in severity from critical to moderate.
More than 2,000 Magento online stores were hacked in September 2020, attacks also spotted by Sansec at the time. Attacks on sites running the now outdated Magento 1.x software were anticipated by Adobe, which issued the first alert in November 2019 about store owners needing to update to the 2.x branch.
Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa.
Even the FBI warned in 2020 that hackers were exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that logs and steals buyers’ payment card data.