Malware Compromises Hundreds of E-Commerce Sites, Exposing Sensitive Data
Recent security findings reveal that hundreds of e-commerce websites, including at least one operated by a major multinational corporation, have been compromised by malware that injects malicious code directly into the browsers of site visitors. This alarming situation, uncovered by researchers at the cybersecurity firm Sansec, highlights the ongoing threat of sophisticated supply-chain attacks.
The infections stem from a supply-chain breach that impacted a minimum of three software providers. The malware involved had remained dormant for six years before activating recently, allowing it to infiltrate over 500 e-commerce sites that utilize the compromised software. Experts speculate that the actual number of infected sites could be even higher, potentially nearing 1,000.
Among the affected organizations is a $40 billion multinational firm, though Sansec has opted not to disclose its identity. In communications on Monday, a Sansec representative noted that remediation efforts for these compromised assets are currently "limited," indicating a systemic weakness in addressing the breach.
The ramifications of this supply-chain attack are particularly concerning given its capacity to execute code on the e-commerce site servers. This capability poses significant risks to countless individuals who visit these infected sites, as attackers can deploy information-stealing code that targets user machines. The nature of the executed code allows for full remote code execution (RCE), providing attackers with the means to manipulate site operations as they see fit.
Typically, these types of breaches utilize a backdoor, which enables the uploading and execution of arbitrary PHP code. In numerous instances involving Adobe Commerce, also known as Magento, the backdoor has facilitated the injection of skimming software designed to capture payment information directly from users’ browsers. This method is commonly associated with Magecart-style attacks, which have been prevalent in e-commerce environments.
The three software suppliers identified as being part of this breach include Tigren, Magesolution (MGS), and Meetanshi, all of which supply Magento-based solutions used by a wide range of online retailers. There is also a potential infection found within a software version from a fourth supplier, Weltpixel, although it remains unverified whether this was due to compromised stores or the supplier itself. Since acquiring Magento in 2018, Adobe has heightened its focus on securing the platform, underscoring the ongoing challenges in maintaining cybersecurity within widely-used e-commerce solutions.
From a tactical perspective, this incident reflects several adversary tactics and techniques as outlined in the MITRE ATT&CK framework. Initial access likely occurred through vulnerabilities in the software supply chain, while persistence was established through the backdoor. Attackers then exploited privilege escalation to execute their code within the compromised environment, extending their reach onto the end-users’ machines.
The implications for business owners are stark; they must prioritize enhancing their cybersecurity defenses, particularly those employing third-party software solutions. With data breaches posing escalating risks, vigilance and proactive measures are essential for safeguarding sensitive customer information and maintaining trust in digital commerce.
