Researchers have warned of a surge in cyberattacks targeting CVE-2022-24086, a pre-authentication issue affecting Adobe Commerce and Magento stores.
In September 2022, Sansec researchers warned of a spike in hacking attempts targeting a critical Magento 2 vulnerability, tracked as CVE-2022-24086.
Magento is a popular open-source e-commerce platform owned by Adobe and used by hundreds of thousands of e-stores around the world.
In February, Adobe rolled out a security update to address the critical CVE-2022-24086 vulnerability affecting its Commerce and Magento open source products, and at the time, the company confirmed it was being actively exploited in the wild.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks against Adobe Commerce merchants.” Read the announcement from Adobe.
The flaw is an “improper input validation” vulnerability that could be exploited by a threat actor with administrative privileges to achieve arbitrary code execution on a vulnerable system.
CVE-2022-24086 has a CVSS score of 9.8 out of 10, and it is classified as a pre-authentication issue, meaning it can be exploited without credentials.
The vulnerability affects the following versions of the product:
|Adobe Commerce||2.4.3-p1 and earlier||all|
|2.3.7-p2 and earlier||all|
|Magento open source||2.4.3-p1 and earlier||all|
|2.3.7-p2 and earlier||all|
Adobe Commerce 2.3.3 and earlier versions are not affected by this vulnerability.
A few days after the disclosure, Positive Technologies researchers created a working PoC exploit for the vulnerability.
Unfortunately, approximately one-third of existing Magento and Commerce stores have not yet installed the security update, although Adobe addressed the issue earlier this year.
Now Sansec researchers warn that at least seven Magecart groups injected TrojanOrders into approximately 38 percent of Magento and Adobe Commerce websites in November. TrojanOrders are orders injected using a critical vulnerability in Magento stores.
“After a quiet summer, the number of attacks targeting email template vulnerabilities in Magento 2 and Adobe Commerce is rising fast. Merchants and developers should be on the lookout for TrojanOrders: Orders Exploiting a Critical Vulnerability in Magento Stores.” Read the report “Trends of recent weeks paint a grim picture for global e-commerce DevOps teams in the weeks ahead” from the experts.
The attack chain is simple, the attacker first tries to trigger the system to send an email with the exploit code inserted in one of the fields. The email was triggered by placing an order, but experts also observed other triggers using the “register as customer” or “share wishlist” functions.
Usually the backdoor is hidden in the file health_check.php, which is a legitimate Magento component.
Over the past few weeks, Sansec has identified seven different attack vectors, a figure that suggests at least seven Magecart groups are now actively experimenting with TrojanOrders on Magento 2 sites.
“Developing attack vectors is difficult and expensive. Once a team has a working exploit (attack vector), they continue to use it unless it no longer works.” continues the report. “A significant increase in active scanning of files containing backdoors (health_check.php). This is a sign that attacker groups are trying to take over infected websites from other groups.”
The surge in attacks could be due to the availability of low-cost exploit kits on hacker forums, the high success rate and timing of past attacks (e-commerce sites are under pressure between October and December as this is the main revenue period .).
“The more orders there are, the easier it is to ignore TrojanOrder. Some merchants may get a strange order alert in their sales panel, but most employees ignore it. November is the month to carry out this attack due to the high volume of transactions Perfect month,” Sanseker continued.
Experts urge webmasters to look for suspicious orders and scan their sites for malicious code.
“The first visible sign is a suspicious new customer record or transaction. See a customer pop up with a name or address like ‘system’ or ‘password’? An order placed by [email protected]? This is most likely a TrojanOrder, Sansec advises Check your system as soon as possible.” Summary report.
Follow me on Twitter: @securityaffairs and Facebook and mastodon
(security affairs – Hacking, Magento)