E-commerce sites using Adobe’s Magento 2 software have been targeted by an ongoing campaign called Xurum since at least January 2023 [1] [2] [3] [4] [5]. This campaign exploits a critical security flaw in Adobe Commerce and Magento Open Source [1] [2] [3] [4] [5], allowing attackers to gain unauthorized access to these sites. The attackers [1] [2] [3] [4] [5], believed to be of Russian origin [1] [3] [5], are primarily interested in payment statistics from the past 10 days and have also infected some websites with JavaScript-based skimmers to collect credit card information [1].
Description
The Xurum campaign targets e-commerce sites using Adobe’s Magento 2 software. It takes advantage of a critical security flaw (CVE-2022-24086) in Adobe Commerce and Magento Open Source [1] [2] [3] [4], which has been patched since its discovery. This flaw allowed attackers to execute arbitrary code and gain access to the targeted sites. The attackers [1] [2] [3] [4] [5], believed to be of Russian origin [1] [3] [5], have demonstrated a high level of expertise in Magento and have specifically targeted certain instances rather than indiscriminately exploiting vulnerabilities.
The attack chain begins with the exploitation of CVE-2022-24086 for initial access. The attackers then execute malicious PHP code and drop a web shell named wso-ng. This web shell is activated when the attacker sends a specific cookie in the HTTP request [1]. The attacks culminate in the creation of a rogue admin user with names resembling popular Magento 2 extension stores [1] [3], such as “Mageworx,” in order to conceal their actions.
The web shell incorporates a hidden login page to steal credentials and integrates with legitimate tools to gather information about the infected machine [3]. The exact scale of the campaign is unknown [1] [3], but the attackers have shown a particular interest in payment statistics from the past 10 days. Additionally, some websites have been infected with JavaScript-based skimmers [1] [3], which are used to collect credit card information during the checkout process.
Conclusion
The Xurum campaign poses a significant threat to e-commerce sites using Adobe’s Magento 2 software. While the security flaw (CVE-2022-24086) has been patched, the attackers have demonstrated a high level of expertise and targeted specific instances [1] [3], indicating a need for continued vigilance and security measures. The impact of this campaign includes unauthorized access to sites, potential theft of payment statistics, and the collection of credit card information through JavaScript-based skimmers.
To mitigate the risks associated with the Xurum campaign, e-commerce site owners should ensure that they have applied the necessary patches and updates to their Magento 2 software. Regular security audits and monitoring should also be conducted to detect any unauthorized access or suspicious activities. Additionally, implementing strong authentication measures and regularly educating users about phishing and other social engineering tactics can help prevent unauthorized access and data breaches.
The Xurum campaign is reminiscent of Magecart attacks, where skimmer code is inserted into checkout pages to steal payment data [5]. This highlights the ongoing need for robust security measures in the e-commerce industry to protect customer information and maintain trust in online transactions.
References
[1] https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html
[2] https://gixtools.net/2023/08/ongoing-xurum-attacks-on-e-commerce-sites-exploiting-critical-magento-2-vulnerability/
[3] https://www.redpacketsecurity.com/ongoing-xurum-attacks-on-e-commerce-sites-exploiting-critical-magento-vulnerability/
[4] https://www.linkedin.com/posts/wdevault_ongoing-xurum-attacks-on-e-commerce-sites-activity-7096846214800818176-NxD0
[5] https://cyber.vumetric.com/security-news/2023/08/14/ongoing-xurum-attacks-on-e-commerce-sites-exploiting-critical-magento-2-vulnerability/
