Infosec Watchtower Logo

Critical Magento Flaw Exploited to Inject Backdoors and Steal Financial Data from E-Commerce Sites

Charles M. Walls | April 6, 2024 | Views: 246

A digital illustration showing a hacker at a computer, exploiting a security flaw in an e-commerce website. The hacker, a shadowy figure with a hood.

Security experts have identified a critical vulnerability in Magento that's being exploited by hackers to implant a stealthy backdoor on e-commerce platforms. This breach involves a significant security flaw, indexed as CVE-2024-20720, which Adobe has highlighted as an issue with the "improper neutralization of special elements" that could allow attackers to run arbitrary code on the affected sites. Adobe addressed this vulnerability in its security patch released on February 13, 2024, which carries a high severity rating of 9.1.

According to security firm Sansec, the hackers have ingeniously manipulated a database layout template to perpetuate the injection of harmful code capable of executing arbitrary commands. This malicious code exploits the default presence of the beberlei/assert package in Magento, pairing it with the platform's layout parser to execute these commands during the e-commerce checkout process. Specifically, every time a user navigates to the /checkout/cart URL, the injected command is triggered.

The particular command used in this exploit is 'sed', a stream editor for filtering and transforming text, which here is employed to establish a backdoor for code execution. This backdoor is instrumental in deploying a Stripe payment skimmer, which then siphons off financial data to another breached Magento site, endangering consumer financial information.

This disclosure coincides with recent news from Russia, where authorities have charged six individuals with deploying skimmer malware to pilfer credit card and payment details from international e-commerce sites since at least the end of 2017. Those apprehended include Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev, as reported by Recorded Future News citing judicial documents from a year prior.

The Prosecutor General's Office of the Russian Federation stated that this criminal ring had illicitly accessed information from nearly 160,000 payment cards belonging to foreign nationals and subsequently sold this sensitive data on dark web marketplaces.

Source of Inspiration