Attackers Target Critical New Magento Exploit

Magento new exploit
Share article
twitter linkedin medium facebook

Adobe’s popular open-source e-commerce platform Magento has once again fallen prey to Magecart attackers. They used what’s been described as a “…cleverly crafted layout template in the database table,” containing XML shell code that automatically injects malware into compromised sites using the Magento content management system (CMS) controller.

They combined the Magento layout parser with the beberlei/assert package (which is installed by default) to execute system commands. When the sed command is executed, it adds a backdoor to the CMS controller, and because the layout block is tied to the checkout cart, it’s executed whenever <store>/checkout/cart is requested. Even after manual fixes or system recompilations are applied, the malware is injected again, making it a persistent and tenacious threat. This backdoor gives attackers ongoing access to the compromised systems and also allows additional malicious payloads to be injected.

The Magecart cybercrime organization, which has become infamous for payment card skimming, has been observed using this technique to inject a fake Stripe payment skimmer, which captures and then exfiltrates payment data to an attacker-controlled location.

The Vulnerability

Cybersecurity researchers discovered that threat actors were exploiting a critical vulnerability: CVE-2024-20720 which has a severity level of 9.1, and they used it to deploy persistent backdoors onto vulnerable servers. The vulnerability means that older versions of Adobe Commerce are “…affected by an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.”

Adobe (which owns the Magento platform) resolved this security bug in both Adobe Commerce and Magento in February 2024, and it recommends that all e-commerce retailers should upgrade their versions to 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 to stay protected from this threat.

Interestingly, the CVE vulnerability being exploited was first reported by a member of Adobe’s invite-only bug bounty program, a security researcher who goes by the name of Blaklis. Adobe set the program up to reward users for discovering security issues.

Magecart Attacks

When web skimming attacks first appeared in around 2010 (mass attacks appeared from 2015 onwards), the Magento open-source e-commerce software platform was their first target, so they were given the name “Magecart,” a combination of “Magento” and “shopping cart.” The term is now used to describe web skimming attacks on other platforms, and it’s also used as a catchall name for the estimated seven cybercrime groups that typically carry out these attacks.

Coincidentally, the Russian government has recently charged six people on suspicion of using Magecart attacks to fraudulently obtain the payment information and credit card details of around 160,000 individuals from foreign e-commerce stores since at least 2017. This is quite an unusual step, as Russian card-skimming gangs rarely face public prosecution, but it is welcome, nevertheless. That said, it is unlikely to make a dent in the overall number of Magecart attacks, which continue to plague businesses worldwide.

Magecart Protection

Magecart attacks on e-commerce stores can result in severe consequences. British Airways was initially fined £184 million ($229 million) after 22 lines of injected code diverted the payment details and personal information of 400,000 of its customers to a website controlled by a hacking group. The fine was later reduced to $20 million due to “…the economic effects of COVID-19,” but by then the reputational damage had been done.

As more websites collect user payment information, the prevalence of Magecart-style attacks is on the rise. To secure your online business, adopt a comprehensive web security strategy that mitigates Magecart and other code injection threats in the browser and also ensure that back-end infrastructure is protected.

Best Practices

Take these precautions to protect your online store:

  • Regularly update software like CMS, plugins, themes, and third-party code.
  • Use strong, unique passwords for all accounts (admin, SFTP, database).
  • Only add third-party JavaScript from reputable sources.
  • Monitor your site for unauthorized access or changes.
  • Implement a web application firewall, intrusion detection, and apply virtual patches to known vulnerabilities.
  • Set up a Content Security Policy header to add protection against clickjacking, XSS, and data exfiltration, and to control browser resource restrictions.
  • Restrict unauthorized access to sensitive data by practicing the principle of least privilege to mitigate risk.
  • Use a robust security solution that examines and controls all website API calls to the browser, ensuring that only approved APIs can access sensitive data while preventing malicious scripts from obtaining customer information.
  • Any security system should include monitoring features that send alerts when indicators of compromise are detected.

How Reflectiz Can Help

At 14 years-old and counting, Magecart attacks show no sign of going away, but neither does the Reflectiz continuous web threat management solution. Standard security measures like WAFs don’t pick up Magecart threats, which is why the average time to discovery of these malicious code injections is 171 days. That’s more than enough time to steal user information that attracts lawsuits, brand damage, loss of trust, and GDPR/CCPA fines. Don’t risk it! Sign up today for maximum protection and ongoing peace of mind.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free