Cybercriminals and Hacking Groups are Back at it.
The researchers at Sansec have warned of a surge in hacking attempts on Magento 2 sites. A critical Magento 2 vulnerability tracked as CVE-2022-24086 enables unauthenticated attackers to execute code on unpatched Magento sites.
Magento, a popular open-source eCommerce platform by Adobe, is used by thousands of e-stores worldwide. Sansec researchers have alerted the merchants of a hacking campaign exploiting the CVE-2022-24086 Magento 2 vulnerability.
In February 2022, Adobe released security updates to address this flaw affecting Adobe Commerce and Magento open-source products; at the time, the company confirmed it was actively exploited.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” Adobe advisory was published.
The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, and it is classified as a pre-authentication issue meaning it could be exploited without credentials.
The vulnerability affects the below versions of the Adobe products:
The Three Variants of Attack
Three attack variants are exploiting CVE-2022-24086 to inject a Remote Access Trojan (RAT) on vulnerable endpoints.
The first variant – initiates by creating a new customer account on the target platform through a malicious template code in the first and last names and placing an order later.
The injected code then decodes to command and downloads a Linux executable (“223sam.jpg”), launched in the background as a process. This RAT phones to a Bulgaria-based server to receive commands.
“This attack method defeats some of the security features of the Adobe Commerce Cloud platform, such as a read-only code base and restricted PHP execution under pub/media,” explains Sansec in the report.
“The RAT has full access to the database and the running PHP processes,… and can be injected on any of the nodes in a multi-server cluster environment.”
The second attack injects a PHP backdoor (“health_check.php”) through a template code in the VAT field of the placed order.
This code creates a new file (“pub/media/health_check.php”), accepting the commands via POST requests.
The third attack employs template code that executes to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with a malicious, backdoor version.
The Sansec team of researchers has urged Magento 2 site administrators to stick to the security guidelines on the Adobe Commerce and Magento open-source support page. As an Adobe Solutions partner, ioVista suggests you upgrade your Magento or Adobe Commerce to the latest version.