It has been discovered that threat actors are exploiting a critical flaw in Magento to insert persistent backdoors into e-commerce websites.
use an attack CVE-2024-20720 (CVSS score: 9.1). This is described by Adobe as a case of “improper disabling of a special element” that could pave the way to arbitrary code execution.
This issue was addressed by the company as part of a security update released on February 13, 2024.
Sunsec said it discovered “crafted layout templates within the database” that were used to automatically inject malicious code and execute arbitrary commands.
“The attacker combines the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the company said.
“The layout block is associated with the checkout cart, so this command
The command in question is sed, which is used to inject a code execution backdoor. This backdoor is responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information to another compromised Magento store.
The development comes as the Russian government has indicted six people for using skimmer malware to steal credit card and payment information from overseas e-commerce stores since at least late 2017.
The suspects are Denis Primachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News, citing court documents, reported that the arrest was made a year ago.
“As a result, members of the hacker group illegally obtained information on approximately 160,000 payment cards of foreigners, which they then sold through shadowy Internet sites,” the Prosecutor General's Office of the Russian Federation announced.
