Cybersecurity researchers recently discovered a critical vulnerability in Magento, which allowed threat actors to deploy persistent backdoors onto vulnerable servers.
Late last week, experts from Sansec published a blog post detailing a “cleverly crafted layout template in the database”, used to automatically inject malware.
The template abused an “improper neutralization of special elements” vulnerability, now tracked as CVE-2024-20720, and carrying a severity score of 9.1 (critical).
Targeting Europeans
Magento is an open-source e-commerce platform written in PHP. Adobe acquired it in mid-2018, for $1.68 billion. Today, more than 150,000 online stores use Magento, which is generally perceived as one of the top e-commerce platforms out there.
“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the researchers said in their writeup. “Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested.”
The command in this case is called sed, and adds a backdoor to the CMS controller. “Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:” they concluded.
Magento fixed the flaw with a security patch published on February 13 this year, so if you haven’t already installed it, now would be a good time.
Given Magento’s popularity, it’s no wonder that it’s a major target. One of the biggest credit card skimmers out there is called MageCart, and the last time we heard of it, threat actors have been using the tool to target websites running outdated and unsupported versions of Magento in bulk.
In February 2022, Sansec discovered more than 500 infections that occurred on the same day, with the same malware. The researchers said the attackers used the naturalfreshmalll.com domain (quickly defunct) to load the malware onto ecommerce websites running Magento 1.
This version reached its end-of-life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.
Via TheHackerNews