We discovered that threat actors exploited a critical flaw in Magento to inject persistent backdoors into e-commerce websites.
The attack exploited CVE-2024-20720 (CVSS score: 9.1), which Adobe describes as a case of “improper neutralization of a special element” that could pave the way for arbitrary code execution.
The company addressed this issue in a security update released on February 13, 2024.
Sansec said it discovered a “crafted layout template” in the database that was used to automatically inject malicious code to execute arbitrary commands.
“The attacker combined the Magento layout parser with the beberlei/assert suite (preset installation) to execute system commands,” the company said.
“Since the layout block is associated with the checkout cart, whenever the
The command in question is sed, which is used to insert a code execution backdoor, which is then responsible for serving up the Stripe payment browser to capture financial information and exfiltrate it to another compromised Magento store.
The development comes as the Russian government has charged six people with using skimmer malware to steal credit card and payment information from foreign e-commerce stores since at least late 2017.
The suspects are Denis Primachenko, Alexander Asayev, Alexander Basov, Dmitry Kolpakov, Vladislav Patuk and Anton Tolmachev. The Future News-Record reported, citing court documents, that the arrests were made a year ago.
“As a result, members of the hacker group illegally obtained information on nearly 160,000 payment cards of foreign citizens and then sold this information through shadow Internet sites,” the Prosecutor General’s Office of the Russian Federation said.
