The damage could have been avoided if site owners had installed security updates in time.
Researchers from Akamai warn of ongoing hacker attacks, dubbed Xurum. They are aimed at e-commerce sites running on Adobe's Magento version 2 CMS platform.
In their attacks, attackers actively use the critical vulnerability CVE-2022-24086, which has a score of 9.8 points on the CVSS scale. This vulnerability was discovered at the beginning of last year and allows the implementation of malicious code on the server.
It is reported that the name of the malicious campaign was chosen by researchers not by chance. It comes from the domain name of the hackers C2 server — "xurum.com". And the malicious operation itself has been active for at least 7 months, since January of this year.
Most often, attackers are interested in confidential data about customer orders and payments for the last 10 days. In some cases, they also install special skimmers to intercept customers bank card data in real time.
The researchers found that the attackers tried to launch two different malware programs from four IP addresses of hosting providers Hetzner and Shock Hosting.
The first version of the malware is designed to pre-test the vulnerability of the victim's server. The second one downloads and runs malicious PHP code directly from the hackers C2 server.
To mask their actions, criminals use Base64 encryption and various methods of code obfuscation. And after gaining access, hackers register a new hidden Magento component on the hacked site, which disguises itself as a harmless module "GoogleShoppingAds".
Then, using this backdoor, they activate a powerful web shell called "wso-ng". A special control cookie is used to launch the shell.
It is noteworthy that the web shell itself is disguised as a standard CMS Magento error page. At the same time, it contains a hidden login form to the control panel, through which the administrator's credentials are collected.
In addition, hackers create a new hidden administrator account, most often named "mageplaza" or "mageworx", for easy management of the hacked site. These names are not chosen by chance, but to hide the backdoor under the guise of popular modules for Magento.
On the command server "xurum.com" the experts also found tools to exploit the well-known "Dirty COW" vulnerability in Linux. It allows you to increase the privileges of the attacker on the target system.
According to the researchers, the attackers behind the Xurum campaign are acting very carefully and purposefully. They demonstrate a high professional level of hacking skills and expert knowledge of the Magento platform.
According to Akamai experts, this malicious campaign clearly shows how even old vulnerabilities can be actively and successfully used by hackers for a long time after their first detection, disclosure and release of fixes.
Unfortunately, many companies do not have time (or do not consider it necessary) to quickly install all the necessary security updates. This is what enterprising attackers use to attack vulnerable sites.
If your online store runs on CMS Magenta, you should be concerned about the relevance of the software until your data, as well as the data of your customers, is leaked to the public.
Researchers from Akamai warn of ongoing hacker attacks, dubbed Xurum. They are aimed at e-commerce sites running on Adobe's Magento version 2 CMS platform.
In their attacks, attackers actively use the critical vulnerability CVE-2022-24086, which has a score of 9.8 points on the CVSS scale. This vulnerability was discovered at the beginning of last year and allows the implementation of malicious code on the server.
It is reported that the name of the malicious campaign was chosen by researchers not by chance. It comes from the domain name of the hackers C2 server — "xurum.com". And the malicious operation itself has been active for at least 7 months, since January of this year.
Most often, attackers are interested in confidential data about customer orders and payments for the last 10 days. In some cases, they also install special skimmers to intercept customers bank card data in real time.
The researchers found that the attackers tried to launch two different malware programs from four IP addresses of hosting providers Hetzner and Shock Hosting.
The first version of the malware is designed to pre-test the vulnerability of the victim's server. The second one downloads and runs malicious PHP code directly from the hackers C2 server.
To mask their actions, criminals use Base64 encryption and various methods of code obfuscation. And after gaining access, hackers register a new hidden Magento component on the hacked site, which disguises itself as a harmless module "GoogleShoppingAds".
Then, using this backdoor, they activate a powerful web shell called "wso-ng". A special control cookie is used to launch the shell.
It is noteworthy that the web shell itself is disguised as a standard CMS Magento error page. At the same time, it contains a hidden login form to the control panel, through which the administrator's credentials are collected.
In addition, hackers create a new hidden administrator account, most often named "mageplaza" or "mageworx", for easy management of the hacked site. These names are not chosen by chance, but to hide the backdoor under the guise of popular modules for Magento.
On the command server "xurum.com" the experts also found tools to exploit the well-known "Dirty COW" vulnerability in Linux. It allows you to increase the privileges of the attacker on the target system.
According to the researchers, the attackers behind the Xurum campaign are acting very carefully and purposefully. They demonstrate a high professional level of hacking skills and expert knowledge of the Magento platform.
According to Akamai experts, this malicious campaign clearly shows how even old vulnerabilities can be actively and successfully used by hackers for a long time after their first detection, disclosure and release of fixes.
Unfortunately, many companies do not have time (or do not consider it necessary) to quickly install all the necessary security updates. This is what enterprising attackers use to attack vulnerable sites.
If your online store runs on CMS Magenta, you should be concerned about the relevance of the software until your data, as well as the data of your customers, is leaked to the public.
