June 30, 2022

On January 25, Sansec posted a tweet that almost 300+ e-commerce shops had been contaminated with malware. Sansec detected a large knowledge breach at 500 shops which had been operating on Magento 1. Magento is an open-source e-commerce platform offered by Adobe. 

The entire shops had been affected with a fee skimmer which was loaded to them from naturalfreshmall.com. In the course of the first investigation, Investigators discovered that the hackers used a intelligent mixture of SQL Injection and PHP Object Injection assault to regulate the Magento shops.

POI Assault at Zend_Memory_Manager

Additional investigations revealed {that a} identified vulnerability within the Quickview plugin was used to abuse the techniques which is often used to inject rogue Magento admin customers. However on this case, the attackers used this vulnerability to instantly run code on the server. A transparent rationalization was given by Sansec on how this was potential. 

EHA

Initially, the attackers used the Quickview plugin vulnerability so as to add a validation rule to the customer_eav_attribute desk

45.72.31.112 2022-01-28T15:11:59Z “GET /quickview/index/view/path/’);UPDATEpercent20customer_eav_attributepercent20SETpercent20validate_rules=UNHEX(‘613a…d7d’)%20WHEREpercent20validate_rules=’a:2:%7Bs:15:%22max_text_lengthpercent22;i:255;s:15:%22min_text_lengthpercent22;i:1;%7D’; HTTP/1.1”

The PHP Object Injection is used for crafting a malicious object by the host software. On this assault, the Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used for making a file referred to as api_1.php adopted by a easy backdoor eval($_POST[‘z’]).

Signal Up Prompts the Assault

For operating the code, Magento have to unserialise the code. The attackers achieved this through the use of the validation guidelines set for brand new prospects. By utilizing the enroll web page of Magento, the attacker unserialises the information which makes the code to run.

45.72.31.112    2022-01-28T15:12:02Z “GET /buyer/account/create/ HTTP/1.1”

See also  Hackers Launching FlawedAmmyy Malware Through Undetected MS Excel Macros that Carried Highly effective Backdoor

45.72.31.112    2022-01-28T15:12:08Z “GET /api_1.php HTTP/1.1”

The api_1.php which is managed by the attacker is now in a position to run any PHP code.

Throughout these assaults, the attacker left practically 19 backdoors on the system which must be eradicated so as to forestall future assaults. Many recordsdata consisted of the malicious Magento code.

Sansec additionally posted an inventory of IP’s that had been implicated throughout the assault

132.255.135.230 US 52485 networksdelmanana.com
132.255.135.51 US 52485 networksdelmanana.com
138.36.92.216 US 265645 HOSTINGFOREX S.A.
138.36.92.253 US 265645 HOSTINGFOREX S.A.
138.36.93.206 US 265645 HOSTINGFOREX S.A.
138.36.94.2 US 265645 HOSTINGFOREX S.A.
138.36.94.224 US 265645 HOSTINGFOREX S.A.
138.36.94.241 US 265645 HOSTINGFOREX S.A.
138.36.94.59 US 265645 HOSTINGFOREX S.A.
138.94.216.131 US 263744 Udasha S.A.
138.94.216.172 US 263744 Udasha S.A.
138.94.216.186 US 263744 Udasha S.A.
138.94.216.230 US 263744 Udasha S.A.
141.193.20.147 US 64249 ENDOFFICE
144.168.218.117 US 55286 SERVER-MANIA
144.168.218.136 US 55286 SERVER-MANIA
144.168.218.249 US 55286 SERVER-MANIA
144.168.218.70 US 55286 SERVER-MANIA
144.168.218.94 US 55286 SERVER-MANIA
144.168.221.92 US 55286 SERVER-MANIA
186.179.14.102 US 52393 Corporacion Dana S.A.
186.179.14.134 US 52393 Corporacion Dana S.A.
186.179.14.179 US 52393 Corporacion Dana S.A.
186.179.14.204 US 52393 Corporacion Dana S.A.
186.179.14.44 US 52393 Corporacion Dana S.A.
186.179.14.76 US 52393 Corporacion Dana S.A.
186.179.14.97 US 52393 Corporacion Dana S.A.
186.179.39.183 US 52393 Corporacion Dana S.A.
186.179.39.226 US 52393 Corporacion Dana S.A.
186.179.39.35 US 52393 Corporacion Dana S.A.
186.179.39.7 US 52393 Corporacion Dana S.A.
186.179.39.74 US 52393 Corporacion Dana S.A.
186.179.47.205 US 52393 Corporacion Dana S.A.
186.179.47.39 US 52393 Corporacion Dana S.A.
191.102.149.106 US 394474 WHITELABELCOLO393
191.102.149.197 US 394474 WHITELABELCOLO393
191.102.149.253 US 394474 WHITELABELCOLO393
191.102.163.202 US 394474 WHITELABELCOLO393
191.102.163.208 US 394474 WHITELABELCOLO393
191.102.163.7 US 394474 WHITELABELCOLO393
191.102.163.74 US 394474 WHITELABELCOLO393
191.102.170.173 US 394474 WHITELABELCOLO393
191.102.170.81 US 394474 WHITELABELCOLO393
191.102.174.128 US 394474 WHITELABELCOLO393
191.102.174.211 US 394474 WHITELABELCOLO393
191.102.174.239 US 394474 WHITELABELCOLO393
191.102.174.247 US 394474 WHITELABELCOLO393
191.102.174.52 US 394474 WHITELABELCOLO393
191.102.179.22 US 394474 WHITELABELCOLO393
191.102.179.31 US 394474 WHITELABELCOLO393
191.102.179.62 US 394474 WHITELABELCOLO393
192.198.123.164 US 55286 SERVER-MANIA
192.198.123.225 US 55286 SERVER-MANIA
192.198.123.226 US 55286 SERVER-MANIA
192.198.123.43 US 55286 SERVER-MANIA
192.241.67.128 US 55286 SERVER-MANIA
193.32.8.1 US 201814 Meverywhere sp. z o.o.
193.32.8.33 US 201814 Meverywhere sp. z o.o.
193.32.8.63 US 201814 Meverywhere sp. z o.o.
193.32.8.76 US 201814 Meverywhere sp. z o.o.
193.8.238.91 US 60781 LeaseWeb Netherlands B.V.
195.123.246.212 CZ 204957 ITL-Bulgaria Ltd.
198.245.77.132 US 55081 24SHELLS
198.245.77.217 US 55081 24SHELLS
198.245.77.253 US 55081 24SHELLS
206.127.242.99 US 201106 Spartan Host Ltd
209.127.104.174 US 55286 SERVER-MANIA
209.127.105.225 US 55286 SERVER-MANIA
209.127.105.73 US 55286 SERVER-MANIA
209.127.106.211 US 55286 SERVER-MANIA
209.127.106.44 US 55286 SERVER-MANIA
209.127.107.141 US 55286 SERVER-MANIA
209.127.107.169 US 55286 SERVER-MANIA
209.127.107.187 US 55286 SERVER-MANIA
209.127.109.138 US 55286 SERVER-MANIA
209.127.109.225 US 55286 SERVER-MANIA
209.127.109.87 US 55286 SERVER-MANIA
209.127.110.144 US 55286 SERVER-MANIA
209.127.110.177 US 55286 SERVER-MANIA
209.127.111.68 US 55286 SERVER-MANIA
209.127.111.99 US 55286 SERVER-MANIA
209.127.116.101 US 55286 SERVER-MANIA
209.127.116.167 US 55286 SERVER-MANIA
209.127.116.231 US 55286 SERVER-MANIA
209.127.117.214 US 55286 SERVER-MANIA
209.127.117.49 US 55286 SERVER-MANIA
209.127.118.136 US 55286 SERVER-MANIA
209.127.118.96 US 55286 SERVER-MANIA
209.127.172.15 US 55081 24SHELLS
209.127.172.60 US 55081 24SHELLS
209.127.172.99 US 55081 24SHELLS
209.127.173.13 US 55081 24SHELLS
209.127.173.154 US 55081 24SHELLS
209.127.173.215 US 55081 24SHELLS
209.127.174.177 US 55081 24SHELLS
209.127.175.113 US 55081 24SHELLS
209.127.97.6 US 55286 SERVER-MANIA
209.127.98.244 US 55286 SERVER-MANIA
209.127.98.81 US 55286 SERVER-MANIA
209.127.98.91 US 55286 SERVER-MANIA
209.127.99.16 US 55286 SERVER-MANIA
209.127.99.205 US 55286 SERVER-MANIA
217.170.207.111 NO 34989 ServeTheWorld AS
23.106.125.64 SG 59253 Leaseweb Asia Pacific pte. ltd.
45.72.112.143 US 55081 24SHELLS
45.72.18.133 US 55081 24SHELLS
45.72.18.234 US 55081 24SHELLS
45.72.18.236 US 55081 24SHELLS
45.72.31.112 US 55081 24SHELLS
45.72.85.178 US 55081 24SHELLS
45.72.86.142 US 55081 24SHELLS
45.72.86.201 US 55081 24SHELLS

See also  Prime 500 Most Essential XSS Script Cheat Sheet for Net Utility Penetration Testing

Adobe is alleged to have stopped it’s updates and patches on Magento 1 however nonetheless lots of the e-commerce platforms are counting on it. Therefore it is strongly recommended to replace the Magento variations recurrently from exterior patches.

You possibly can observe us on Linkedin, Twitter, Fb for each day Cybersecurity updates.