A significant vulnerability has been identified in Magento, with threat actors exploiting this flaw to implant a persistent backdoor in e-commerce platforms. This attack leverages the CVE-2024-20720 vulnerability (CVSS score: 9.1), categorized by Adobe as indicative of “improper neutralization of special elements,” which can lead to arbitrary code execution.
The vulnerability was addressed by Adobe in security updates released on February 13, 2024. Cybersecurity firm Sansec has reported that attackers are utilizing a “cleverly crafted layout template” within the Magento database, which facilitates automatic injection of malicious code to execute targeted commands.
Sansec’s analysis indicates that hackers are combining the Magento layout parser with the default installation of the beberlei/assert package to initiate system commands. Due to the layout block’s association with the checkout cart feature, the command is executed every time the checkout cart is accessed.
The executed command employs sed to insert a backdoor, which subsequently allows the deployment of a Stripe payment skimmer. This skimmer is designed to capture and transmit sensitive financial information from unsuspecting customers to an alternate compromised Magento store.
This development coincides with allegations from the Russian government, which has charged six individuals for utilizing skimmer malware to pilfer credit card data from international e-commerce sites since late 2017. The accused include Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev, with arrests reported approximately a year ago according to court documents.
The Russian Prosecutor General’s Office disclosed that members of this hacking group illegally obtained information from nearly 160,000 foreign payment cards, subsequently distributing the acquired data via clandestine online platforms.
This incident underlines a pressing need for heightened vigilance among Magento users, particularly regarding potential initial access tactics such as exploiting known vulnerabilities, establishing persistence through backdoors, and executing commands to elevate privileges. As e-commerce continues to expand, the importance of safeguarding against such vulnerabilities becomes increasingly critical for businesses and consumers alike.
