For the past year, hackers—some of them associated with the MageCart online skimming group—have broken into high-profile online stores by exploiting a previously unknown vulnerability in a web-based database management tool.
The vulnerability is located in Adminer, a simple tool written in PHP that allows administrators to manage a site’s MySQL or PostgreSQL database. It was fixed silently in June but hasn’t been publicly documented or announced until now.
According to security researcher Willem de Groot, who has been tracking MageCart attacks, even though a username and password is normally required to connect to a database through Adminer, the tool can be tricked into exposing database passwords stored in configuration files for Magento, WordPress or other content management systems.
Adminer has a feature that allows users to connect to a remote database server through it and attackers have figured out that if they instruct it to connect to a server under their control, they can send back rogue data import requests and trick the tool into sending a local file, the configuration file where Magento stores its secret database password, for example. That password can then be used through Adminer to access the local database and extract or input information into it.
“This attack method has not been published before, but in hindsight I have observed it being used by different Magecart factions at least since October 2018 (although I didn’t understand what was going on back then),” de Groot said in a blog post. “The vulnerability was subsequently used to inject payment skimmers on several high-profile stores (government & multinationals).”
To pull off this attack, hackers need a maliciously modified MySQL server on their end and Groot suspects that one has been available for sale on dark markets for a while because multiple groups have used this technique.
The vulnerability exists in Adminer versions 4.3.1 up to 4.6.2 and was fixed in version 4.6.3 released in June, 2018. However, it’s not clear if the flaw was fixed on purpose or accidentally, because the release notes for Adminer 4.6.3 don’t mention any security fix.
“I would recommend anyone running Adminer to upgrade to the latest version (4.7.0),” de Groot said. “Also, I urge anyone to protect their database tools via an additional password and/or IP filter. Sometimes perpetrators can obtain your database password by other means, and an open Adminer makes life very easy for them.”
MageCart Group Infected Hundreds of Sites Through Advertising Script
The MageCart cybercriminal gang has recently managed to compromise hundreds of websites in one strike by infecting an advertising script shared by all of them.
The MageCart groups are very active and always look to improve their infection techniques and skimming code. Recently, researchers from Trend Micro found the MageCart skimmer on 277 websites that provide everything from ticketing, touring and flight booking services to prominent cosmetic, healthcare and apparel brands.
This is not the first time the MageCart groups have compromised websites through a third-party service. In fact, there are sub-groups that specialize in this type of attack.
Website owners can mitigate some of these attacks by using the Subresource Integrity (SRI) web standard, which allows them to specify a cryptographic hash for any external resource that is loaded in their websites. If the third-party script is later modified, its hash changes and won’t match what the website specifies, so the users’ browsers will refuse to load it.