Government, E-commerce Sites Hacked Through Database Tool
For the past year, hackers—some of them associated with the MageCart online skimming group—have broken into high-profile online stores by exploiting a previously unknown vulnerability in a web-based database management tool.
The vulnerability is located in Adminer, a simple tool written in PHP that allows administrators to manage a site’s MySQL or PostgreSQL database. It was fixed silently in June but hasn’t been publicly documented or announced until now.
According to security researcher Willem de Groot, who has been tracking MageCart attacks, even though a username and password is normally required to connect to a database through Adminer, the tool can be tricked into exposing database passwords stored in configuration files for Magento, WordPress or other content management systems.
Adminer has a feature that allows users to connect to a remote database server through it and attackers have figured out that if they instruct it to connect to a server under their control, they can send back rogue data import requests and trick the tool into sending a local file, the configuration file where Magento stores its secret database password, for example. That password can then be used through Adminer to access the local database and extract or input information into it.
“This attack method has not been published before, but in hindsight I have observed it being used by different Magecart factions at least since October 2018 (although I didn’t understand what was going on back then),” de Groot said in a blog post. “The vulnerability was subsequently used to inject payment skimmers on several high-profile stores (government & multinationals).”
To pull off this attack, hackers need a maliciously modified MySQL server on their end and Groot suspects that one has been available for sale on dark markets for a while because multiple groups have used this technique.
The vulnerability exists in Adminer versions 4.3.1 up to 4.6.2 and was fixed in version 4.6.3 released in June, 2018. However, it’s not clear if the flaw was fixed on purpose or accidentally, because the release notes for Adminer 4.6.3 don’t mention any security fix.
“I would recommend anyone running Adminer to upgrade to the latest version (4.7.0),” de Groot said. “Also, I urge anyone to protect their database tools via an additional password and/or IP filter. Sometimes perpetrators can obtain your database password by other means, and an open Adminer makes life very easy for them.”
MageCart Group Infected Hundreds of Sites Through Advertising Script
The MageCart cybercriminal gang has recently managed to compromise hundreds of websites in one strike by infecting an advertising script shared by all of them.
MageCart is an umbrella for multiple groups that inject malicious JavaScript code into e-commerce sites, particularly in their checkout pages, to steal payment card details and other information when users buy products. This technique is known as online skimming and has led over the past year to data breaches on high-profile sites including British Airways, TicketMaster and Newegg.
The MageCart groups are very active and always look to improve their infection techniques and skimming code. Recently, researchers from Trend Micro found the MageCart skimmer on 277 websites that provide everything from ticketing, touring and flight booking services to prominent cosmetic, healthcare and apparel brands.
“Further research into these activities revealed that the skimming code was not directly injected into e-commerce websites, but to a third-party JavaScript library by Adverline, a French online advertising company, which we promptly contacted,” the Trend Micro researchers said in their report. “Adverline has handled the incident and has immediately carried out the necessary remediation operations in relationship with the CERT La Poste.”
This is not the first time the MageCart groups have compromised websites through a third-party service. In fact, there are sub-groups that specialize in this type of attack.
Website owners can mitigate some of these attacks by using the Subresource Integrity (SRI) web standard, which allows them to specify a cryptographic hash for any external resource that is loaded in their websites. If the third-party script is later modified, its hash changes and won’t match what the website specifies, so the users’ browsers will refuse to load it.
