Threat actors have been discovered to exploit a critical flaw in Magento to insert a persistent backdoor into e-commerce sites.
The attack has leverage CVE-2024-20720 (CVSS score: 9.1), which was described by Adobe as a case of “improper neutralization of special elements” that could pave the way for arbitrary code execution.
The issue was fixed by the company as part of security updates released on February 13, 2024.
Sansec said it discovered a “cleverly crafted layout pattern in the database” that is used to automatically insert malicious code to execute arbitrary commands.
“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the company said.
“Since the layout block is tied to the checkout cart, this command is executed whenever requested
The command in question is sed, which is used to insert a code execution backdoor that is then responsible for delivering a Stripe payment skimmer to capture and exfiltrate financial information into another compromised Magento store.
The development comes as the Russian government accused six people of using skimmer malware to steal credit card and payment information from foreign e-commerce stores since at least late 2017.
The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk and Anton Tolmachev. Recorded Future News reported that the arrests were made a year ago, citing court documents.
“As a result, members of the hacking group illegally took possession of information on almost 160 thousand payment cards of foreign citizens, after selling them through shadow Internet sites,” the Prosecutor General’s Office of the Russian Federation said.