Hackers Infect Magento Shops With Malware Through Extension Flaw

Attackers are breaking into online shops built with Magento by exploiting a known cross-site scripting vulnerability within a popular extension used by merchants for customer support.

A successful compromise results in malware being installed on the website with the goal being to intercept sensitive payment information inputted by customers.

The vulnerability is located in a commercial Magento extension called Mirasvit Helpdesk MX. The flaw was fixed in September. The researchers who found the flaw said at the time that it can be exploited to launch a persistent cross-site scripting attack by injecting script code via the support form’s customer name or ticket subject fields.

The malicious code is then saved in the database. It is executed in the browser used by support agents who open and view the poisoned ticket. These support agents are privileged accounts.

The flaw went largely unnoticed by hackers until recently when they began exploiting it to compromise websites. According to security researcher Willem de Groot, who analyzed such a compromise, the attack is inconspicuous and can bypass many Website security defenses.

All that support agents will see are seemingly benign messages such as: “Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – [email protected].”

“This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken,” de Groot said in a blog post. “For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.”

Mirasvit, the company that develops the Helpdesk MX extension, has been alerted about the ongoing attacks and has published a security advisory on its blog with information on how to update the extension to the latest version. The vulnerability affects all versions of Helpdesk MX older than 1.5.3.

If you own a Magento website and use the extension, De Groot recommends analyzing the header and footer templates because that’s where the malware is inserted. Admins can also scan the database for tickets that include ‘%script%’ in their fields. Finally, adding a Content Security Policy (CSP) header to disallow the execution of external JavaScript files is always a good idea.

Magento is one of the most popular platforms for building e-commerce websites, which has made it an attractive target for hackers over the years. As with most content management systems, one of the primary risks to users comes from vulnerabilities in third-party components, like extensions or themes.

A hacked Magento shop can have serious implications because it can enable hackers to steal payment card data like in this attack, damaging customer confidence and exposing the merchant to penalties and fines.

Exploit for Huawei Routers Used by Satori Botnet Is Now Public

The exploit code for a remote code execution vulnerability in Huawei home gateway devices has been published online and could be used by attackers to build more router botnets.

The flaw was originally used to create a botnet called Satori that recently managed to enslave over 250,000 devices. At the time, the vulnerability had zero-day status and it’s not clear how Satori’s author, who is believed to be an amateur, obtained information about it.

However, according to researchers from NewSky Security, there is evidence the exploit has circulated in blackhat circles for a while, as an older botnet called Brickerbot also appears to have used it.

The fact that the exploit code has recently been published on Pastebin and is available to virtually anyone, makes it very likely that it will be integrated into additional botnets. We’ve seen this before with the Mirai botnet malware whose source code was leaked online and was used to create hundreds of smaller botnets, including Satori.

Huawei published a security advisory for the vulnerability, which is tracked as CVE-2017-17215, and provided customers—primarily ISPs—with updates as well as manual workarounds. Unfortunately, router security patches rarely get installed on consumer devices.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin