The Xurum campaign targets e-commerce sites using Adobe’s Magento 2 software. It takes advantage of a critical security flaw (CVE-2022-24086) in Adobe Commerce and Magento Open Source    , which has been patched since its discovery. This flaw allowed attackers to execute arbitrary code and gain access to the targeted sites. The attackers     , believed to be of Russian origin   , have demonstrated a high level of expertise in Magento and have specifically targeted certain instances rather than indiscriminately exploiting vulnerabilities.
The attack chain begins with the exploitation of CVE-2022-24086 for initial access. The attackers then execute malicious PHP code and drop a web shell named wso-ng. This web shell is activated when the attacker sends a specific cookie in the HTTP request . The attacks culminate in the creation of a rogue admin user with names resembling popular Magento 2 extension stores  , such as “Mageworx,” in order to conceal their actions.
To mitigate the risks associated with the Xurum campaign, e-commerce site owners should ensure that they have applied the necessary patches and updates to their Magento 2 software. Regular security audits and monitoring should also be conducted to detect any unauthorized access or suspicious activities. Additionally, implementing strong authentication measures and regularly educating users about phishing and other social engineering tactics can help prevent unauthorized access and data breaches.
The Xurum campaign is reminiscent of Magecart attacks, where skimmer code is inserted into checkout pages to steal payment data . This highlights the ongoing need for robust security measures in the e-commerce industry to protect customer information and maintain trust in online transactions.