Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

Cyber Security Threat Summary:
“E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. ‘The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days,’ Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin. Some of the websites have also been observed to be infected with simple JavaScript-based skimmers that's designed to collect credit card information and transmit it to a remote server. The exact scale of the campaign remains unclear” (The Hacker News, 2023).

Security Officer Comments:
According to researchers, the attacks entailed the execution of malicious PHP code that is designed to gather information about the host and further deploy a web shell named wso-ng which masquerades as a Google Shopping Ads component.

“wso-ng is said to be an evolution of the WSO web shell, incorporating a new hidden login page to steal credentials entered by victims. It further integrates with legitimate tools like VirusTotal and SecurityTrails to glean the infected machine's IP reputation and obtain details about other domains hosted on the same server” (The Hacker News, 2023).

The web shell is capable of running in memory to avoid detection and is further activated only after the operator sends the cookie “magemojo000” in the HTTP request. Once activated, the backdoor will collect information regarding payment methods used for orders in the past 10 days, which will then be exfiltrated to an attacker-controlled C2 server.

Suggested Correction(s):
Magento admins should confirm to see if they are using the latest version of the platform and upgrade if they are still on an older unsupported version.

Link(s):
https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html