Magento Flaw Exploited by Threat Actors to Inject Persistent Backdoor into E-commerce Websites

Cyber Attack

A critical vulnerability in Magento tracked as CVE-2024-20720 with a CVSS score of 9.1, is being actively exploited by threat actors to inject a persistent backdoor into e-commerce websites, allowing for arbitrary code execution.

Adobe addressed this vulnerability in security updates released on February 13, 2024, describing it as a case of "improper neutralization of special elements."

Sansec, a security firm, discovered that attackers are using a cleverly crafted layout template in the database to automatically inject malicious code for executing arbitrary commands.

The attackers leverage the Magento layout parser along with the beberlei/assert package (which is installed by default) to execute system commands. This injected command is triggered whenever the <store>/checkout/cart page is accessed.

The specific command used is sed, which inserts a code execution backdoor responsible for deploying a Stripe payment skimmer. This skimmer captures and exfiltrates financial information to another compromised Magento store.

These developments occur alongside legal actions taken by the Russian government against individuals charged with using skimmer malware to steal credit card and payment data from foreign e-commerce stores since late 2017.

The individuals charged include Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. According to Recorded Future News, the arrests were made a year ago, as documented in court records.

The Prosecutor General's Office of the Russian Federation stated that the hacker group illegally acquired information on nearly 160 thousand payment cards of foreign citizens, subsequently selling them through shadow internet sites.