- PolyShell vulnerability in Magento/Adobe Commerce mass exploited, hitting over half of vulnerable stores
- Attackers deploy novel WebRTC-based credit card skimmer to evade security controls
- Compromised versions targeted since March 19, including high-value ecommerce sites
PolyShell, a newly discovered vulnerability in certain Magento Open Source and Adobe Commerce installations, is now being actively used in attacks against a large number of websites, researchers are warning.
A new vulnerability has been found affecting stable version 2 installations of the abovementioned software, allowing threat actors to execute malicious code without authentication, and take over user accounts.
Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.
Article continues below
Targeting a $100 billion company
At the time, security researchers Sansec advised website admins to restrict access to pub/media/custom_options/ folders, verify that nginx or Apache rules prevent the access, and scan stores for uploaded malware and backdoors.
They also said that at first, there was no evidence of abuse in the wild, but stressed that an exploit method was “circulating already”.
Now, it appears that the predictions were true, as Sansec says more than half of all vulnerable stores are being targeted.
“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
In some of the attacks, threat actors would deploy a credit card skimmer that was not seen before. This skimmer apparently uses Web Real-Time Communication (WebRTC) to exfiltrate data, which is a rather novel approach. As BleepingComputer explained, WebRTC uses DTLS-encrypted UDP rather than HTTP, making it better at evading security controls “even on sites with strict Content Security Policy (CSP) controls like ‘connect-src.’”
The skimmer was built in JavaScript and connects to a hardcoded C2 server, from which it receives a second-stage payload. It was first spotted on an ecommerce website belonging to a carmaker valued at over $100 billion.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
