Magecart attackers have a new trick: They hide persistent backdoors within e-commerce sites that can automatically push malware.
Second Sansec researchersThreat actors are exploiting a critical command injection vulnerability in the Adobe Magento e-commerce platform (CVE-2024-20720, CVSS score of 9.1), which allows arbitrary code execution without user interaction .
The code executed is an “expertly crafted layout template” in the layout_update database table, which contains XML shell code that automatically injects malware into compromised sites via the Magento content management system (CMS) controller.
“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” Sansec said in an alert. “Since the layout block is tied to the checkout cart, this command is executed whenever requested
Sansec noted Magecart (a long-standing umbrella organization for cybercrime groups that skim payment card data from e-commerce sites) using this technique to inject a Stripe payment skimmer, which captures and exfiltrates payment data to an attacker-controlled site.
Adobe fixed the security bug in February in both Adobe Commerce and Magento, so e-tailers should update their versions to 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 to be protected from the threat .