Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.

Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have also demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.

Once the attacker has control of the site’s Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

Flashpoint analysts said the compromised sites return an exploit in the form of a phony Adobe Flash Player update, which if launched by the user runs malicious JavaScript that downloads malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner. The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.

Flashpoint said that most of the victims among the 1,000 panels it is aware of are in the education and healthcare industries, and that the IP addresses of the compromised panels map to locations in the United States and Europe.

Analysts assess that this is likely only a set of a larger sample of compromised Magento panels.

Flashpoint is working with law enforcement to notify victims of these compromises.

In the meantime, the rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at a number of high-value targets including DNS provider Dyn, French webhost OVH, and journalist Brian Krebs’ website in order to carry out crippling distributed denial-of-service attacks. The DDoS attack against Dyn peaked at 1 terabyte-per-second and took a number of popular websites and services offline for the better part of day in October 2016, including Twitter, Spotify and GitHub. 

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by enforcing the following password-hygiene practices:

• Enforce organizational password complexity requirements.
• Restrict users from recycling previously used passwords.
• Enable two-factor authentication for sensitive systems, applications, databases, and remote access solutions.
• Supply users with secure password managers to assist with password requirements.

The indicators of compromise (IOCs) for AZORult, Rarog, and the campaign targeting Magento are available for download here. The Yara rule is available for download here.