Adobe is urging organizations who use the Magento 1 e-commerce platform to upgrade to the latest Adobe Commerce platform. Sansec, an e-commerce malware and detection tool has identified a mass breach of over 500 stores running on the Magento 1 ecommerce platform.
Although Adobe ended support for Magento 1 in June of 2020, many companies are still using it.
Attackers used a combination of SQL injection (SQLi) and PHP Object Injection (POI) to gain control of the Magento store.
According to Sansec, a leak in the Quickview plugin led attackers to run code directly on the server. Attackers abused the customer_eav_attribute
The added validation rule is a result of UNHEX:
This POI payload is used to trick the host application into crafting a malicious object. In this case Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used to create a file called api_1.php with a simple backdoor eval($_POST[‘z’]).
Adding the malicious code to the database does not do anything, according to Sansec. However, the cleverness of the attack comes into fruition by using the validation rules for new customers, the attacker can trigger an unserialize by using the Magento sign up page, as illustrated by this request:
184.108.40.206 2022-01-28T15:12:02Z “GET /customer/account/create/ HTTP/1.1”
220.127.116.11 2022-01-28T15:12:08Z “GET /api_1.php HTTP/1.1”
Attackers can now run any PHP code via the API under score one period PHP backdoor.
Threat actors are capable of leaving at least 19 backdoors open on the system. IT admins should eliminate all the open back doors.
Leaving one open means the system will be hit again, warns Sansec.
In a series of Tweets, Sansec detailed how hundreds of stores were hit within a single day.
More than 350 ecommerce stores infected with malware in a single day.
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.
— Sansec (@sansecio) January 25, 2022
For more information on the attack, including indicators of compromise, read Sansec’s research.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!