Magento themes

Critical Magento bug used in new round of attacks

Cybercriminals are increasingly trying to exploit a critical template vulnerability in Magento 2 to execute code on unpatched websites.

That’s according to researchers from e-commerce malware detection service Sansec, who say they’ve recently seen a spike in hacking efforts targeting CVE-2022-24086.

Magento, which was acquired by Adobe in 2019, is one of the most popular e-commerce platforms in the world. It provides widely used e-commerce software on an open source and commercial basis.

Magento Marketplace portal is currently used by thousands of people to buy, sell and download themes and plugins for Magento based online stores. However, the popularity of Magento has also led to this platform being constantly targeted by cyber criminals.

CVE-2022-24086 was discovered in February 2022, when Adobe found it was being exploited in the wild by malicious actors in “very limited attacks”.

The flaw was given a severity score of 9.8 out of 10 and a patch was released within days to resolve the issue.

Adobe advised administrators of online stores running Adobe Commerce or Magento Open Source versions 2.4.3-p1/2.3.7-p2 and lower to prioritize handling CVE-2022-24086 and apply fixes as soon as possible.

CVE-2022-24086 is described as “an improper input validation during checkout process vulnerability” and researchers have warned that it could be exploited without user interaction, which could lead to the execution of arbitrary code.

Researchers released a proof-of-concept (PoC) exploit for CVE-2022-24086 days after the flaw was discovered, paving the way for its widespread exploitation.

Sansec researchers now claim to have seen three pattern hacks that attempted to install a Remote Access Trojan (RAT) on vulnerable endpoints by exploiting CVE-2022-24086.

All of the attacks detected were interactive, the researchers said, possibly because Magento’s payment sequence is particularly difficult to automate.

The three attack variants

The first variant starts by using malicious template code to create a new customer account on the target platform. He proceeds to place an order, which may result in payment failure.

The injected code decodes into a command that downloads and starts a background process for the Linux 223sam.jpg executable.

According to the researchers, it is essentially a Remote Access Trojan (RAT) that stays in memory and communicates with a remote server in Bulgaria to receive further commands.

Both the database and active PHP processes are fully accessible to the RAT.

The second attack variant attempts to introduce a health_check.php backdoor by including the model code in the VAT field of the order placed.

Using POST requests, the code generates a new file that accepts other commands.

In the third attack variant, the template code runs to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with malicious code.

Eventually, the malware is executed whenever a Magento page request is made.

In order to protect their websites from attacks, researchers now advise Magento 2 site administrators to update their software to the latest version.

The FishPig Attack

The announcement comes days after Sansec researchers warned that cybercriminals were planting malware in servers belonging to online retailers after breaking into FishPig’s server infrastructure.

FishPig is a Magento-WordPress integrations software developer with over 200,000 downloads.

Sansec said attackers injected malware into FishPig Magento Security Suite and several other FishPig extensions for Magento 2, to access websites using the products. The injected malware then installed a RAT – dubbed Rekoobe – which lurks on the server as a background process.

When Rekoobe is enabled, it provides a reverse shell that allows the attacker to instruct the compromised server remotely.