Magento 2 critical flaw exploited in new cyberattack waves

September 28, 2022
Magento 2 Critical Flaw Exploit Cyberattack Vulnerability E-Commerce Website Protection

Recently, a new surge of cyberattacks involving the exploitation of the critical Magento 2 vulnerability, CVE-2022-24086, has been observed, allowing threat actors to launch malicious codes on unpatched infrastructures.

Since Magento is one of the top most used open-source e-commerce platforms worldwide, threat actors are enticed to exploit vulnerabilities found in it to steal funds from online shopping sites.

In February this year, the Magento 2 critical flaw CVE-2022-24086 was found and patched simultaneously. However, the discovery was a bit late for the security experts as threat actors have already been abusing it for attacks. Nevertheless, all online shopping sites that use Magento in their operations were alerted to apply the security update to protect them against the threats of hackers.

 

When security researchers published a proof of concept for the Magento 2 critical flaw, threat actors were quick on their feet to abuse it, commencing mass exploitation.

 

Experts stressed that the vulnerability of the affected platform had become one of the most exploited bugs in the cybercriminal landscape today. Threat actors use three different attack methods to abuse the flaw, with all methods aiming to spread remote access trojan toward a targeted infrastructure.

As explained by the researchers, these three variants are all well-engineered to effectively inject malicious payloads on unpatched endpoints. For the first method, the hackers create a new customer account inside the targeted platform through malicious template code in the first and last names before placing an order.

Subsequently, the malicious template code will be converted into a command to download a Linux RAT executable to be launched in the impacted server’s background as a process. The RAT will then communicate with a malicious remote server to receive commands.

Then, for the second method, a PHP backdoor will be injected through template code in the VAT field of the initially placed order. This code will create a new file that receives commands through POST requests.

And for the last attack variant, the threat actors will employ a template code that will replace a malicious [.]PHP file with another malicious backdoored version.

Researchers believe that aside from these three attack variants, threat actors will continue to deploy more methods to abuse the Magento 2 vulnerability as long as it is available in the wild. Thus, all website admins are instructed to patch their infrastructures immediately and follow Magento’s released security guidelines to help them avoid being the next target of hackers.

About the author

Leave a Reply