Posted on July 27, 2022 at 12:06 PM
Researchers have revealed that threat actors are now targeting websites using the PrestaShop platform while taking advantage of the Zero-day vulnerability chain. According to the report, they are carrying out code execution to potentially steal customers’ payment information.
Last Friday, the PrestaShop team issued a warning and urged the admins of 300,000 shops that use its software to update their security systems. The company warned the admins that it has discovered cyberattacks that target the platform.
The attack seemed to impact PrestaShop versions 22.214.171.124 or later and versions 126.96.36.199 or later when they operate modules vulnerable to SQL injection. The vulnerability has been tracked as CVE-2022-36408.
The Hackers Are Targeting Shops Through Outdated Software
The attackers are carrying out arbitrary code execution in servers that run PrestaShop websites, according to the company.
The attack starts by exploiting a module or its older version with flaws in SQL injection exploits. However, the PrestaShop team is yet to discover where the vulnerability is coming from at the time of the warning. The team added that it is likely that the flaw may be caused by a third-party component.
The Prestashop security team stated that the threat actors are targeting shops using obsolete modules or software, zero-day vulnerability, and vulnerable third-party modules.
The threat actors are sending a POST request to a flawed endpoint before a parameter-less GET request to carry out the attack. They send the request to the homepage, which captures a “blm.php” file at the root directory.
Additionally, the blm.php file seemed to be a web shell that gives the hackers the ability to execute commands on the server remotely.
The activities of the hackers have been observed. According to the report, they utilize the web shell to plant fake payment forms on the shop’s checkout page, allowing them to steal the payment card details of the customers.
Administrators Urged To Secure Their Systems
The threat actors have also learned how to stay under the radar while infecting the targeted system and stealing information. The report revealed that after the attack, the hackers cleaned their tracks to make sure that the site owners do not realize that their platforms have been compromised.
This helped the threat actors to continue infecting other systems. If they were not careful with wiping out the evidence, the administrators of the infected sites could discover entries in the web server’s access logs and find out that they were compromised.
The site administrators can find out that the website has been compromised in different ways. One of the signs is a file modification to fit in malicious code. It can also be seen when there is a modification of the MySQL Smarty cache storage, which can serve as part of an attack medium.
Generally, the feature is disabled by default. However, the PrestaShop team has seen evidence that the threat actors enabled it separately. As a result, they have recommended that site administrators should remove the feature if not required.
Additionally, users have been advised to upgrade to the latest available version of the software and apply the security update. PrestaShop stated that the security upgrade has already been released.
The security update improves the MySQL Smarty cache storage and makes it resistant to code injection attacks, especially for those that want to keep using the legacy feature.
But the PrestaShop team advised that the security update will not work in some situations, especially those where their website has already been infected.
Threat Actors Launch More Magercar Attacks
PrestaShop says is the leading open-source eCommerce solution in Latin America and Europe. The main goal of the attackers is to plant malicious code that can steal the payment information of customers on checkout pages. It’s not clear how many of the websites have been infected. But PrestaShop stated that it is investigating the situation and will provide more details about the situation soon.
The development is coming at a time restaurant ordering platforms are witnessing a wide range of Magecart attacks. Platforms such as InTouchPOS, Habortouch, and MenuDrive have been hit in recent times, which led to the compromise of over 300 restaurants.
The restaurant ordering platforms were targets of two Magecart skimming campaigns. The three breaches resulted in the theft of more than 50,000 payment card records from the compromised restaurants as the details were posted on the dark web.