Magento bug exploited to steal payment details from e-commerce websites

By James On Apr 8, 2024

Cybersecurity researchers recently discovered a critical vulnerability in Magento that allowed threat actors to deploy persistent backdoors on vulnerable servers.

Late last week, Sansec experts published a blog post detailing a “cleverly designed database layout template” used to automatically inject malware.

The template exploited an ‘inappropriate neutralization of special elements’ vulnerability, which is now tracked as CVE-2024-20720 and has a severity rating of 9.1 (critical).

Aimed at Europeans

Magento is an open-source e-commerce platform written in PHP. Adobe acquired it in mid-2018 for $1.68 billion. Today, more than 150,000 online stores use Magento, which is generally considered one of the best ecommerce platforms out there.

“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the researchers said in their article. “Because the layout block is linked to the checkout cart, this command is executed at any time /checkout/shopping cart is prompted.”

The command in this case is called sed and adds a backdoor to the CMS controller. “Smart, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:,” they concluded.

Magento fixed the flaw with a security patch released on February 13 this year, so if you haven’t installed it yet, now would be a good time.

Given Magento’s popularity, it’s no wonder it’s a top target. One of the biggest credit card skimmers out there is called MageCart, and last we heard of it, threat actors have been using the tool to massively target websites running outdated and unsupported versions of Magento.

In February 2022, Sansec discovered more than 500 infections that occurred on the same day, with the same malware. The researchers said the attackers used the domain naturalfreshmalll.com (quickly defunct) to load the malware on e-commerce websites running Magento 1.

This version reached end of life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.

Through The HackerNews