Cybersecurity intelligence vendor Flashpoint has warned that attackers are targeting Magento. Magento is an open source ecommerce website platform. The attack has been ongoing since 2016.
Magento is an ecommerce platform that has both a free open source version and a curated enterprise version. The latter comes with access to support and is maintained by Magento. This is common among successful open source products.
The attackers are targeting administrator panels. This allows them to scrape credit card numbers and install cryptocurrency mining malware. Flashpoint revealed the details in a blog from Vitali Kremez, Amina Bashir and Paul Burbage.
According to the blog: “Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016.”
How does the attack work?
The researchers go on to say: “The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials. Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.”
As with any CMS, access to the admin panel enables new plugins and scripts to be added. In this case the attackers have been installing malicious code into the Magento core files. Flashpoint says that this allowed them to access payment data. When users clicked enter, their data was redirected to the attackers. This enabled the attackers to grab payment data including credit and debit cards.
Visitors to compromised sites are then subjected to malware attacks. The websites tell the user that they need to update their Adobe Flash Player software. Users who click on the link are served malware from servers hosted on GitHub and other sites.
There are several pieces of malware involved. The AZORult data stealing software is the first piece downloaded. It, in turn, downloads other malware including the Rarog cryptocurrency miner.
Attackers getting smarter
One thing that stands out in this report is the effort the attackers are making to avoid detection. The researchers say that the malicious files are updated daily. This makes it hard for security software companies to detect the software. This is because the signatures change too often for security updates to catch up with them.
The use of GitHub also helps the attackers. Developers increasingly use GitHub to download new code and even store their own code. This means that where an organisation operates a ‘white list’ of safe sites, GitHub will be on it. As a result, the malware downloads are able to avoid being blocked. This has also led to an increasingly number of attackers using GitHub to host their code.
What does this mean
Another day, another attack and yet again at the core of this attack we see default credentials. It seems that users never learn. Credentials used to install software must be changed as soon as the software is installed. Software should prompt users to change these default credentials and even refuse to function unless they are changed. This would remove some of the attacks we see regularly.
The use of brute force attacks on credentials is also nothing new. It takes little effort to set alerts inside login systems to detect repeated password fails yet they are still not commonly used. Unfortunately, even where they are available, administrators often turn them off to prevent calls from users who struggle to type their passwords correctly.
Enterprise Times emailed Magento yesterday asking if they had a security update upcoming to make brute for attacks harder and to stop the use of default credentials. We have heard nothing yet. When we do, we will post their reply in the comments below. In the meantime, Forcepoint recommends Magento admins should:
- Enforce organizational password complexity requirements.
- Restrict users from recycling previously used passwords.
- Enable two-factor authentication for sensitive systems, applications, databases, and remote access solutions.
- Supply users with secure password managers to assist with password requirements.
Magento has sent us the following statement.
James Harris, Chief Information Security Officer at Magento Commerce: “Up to 1,000 open-source accounts were affected by brute force attacks, a form of fraud where cybercriminals take advantage of weak passwords to steal information and distribute malware. This is not a new threat, as there have been previously reported variants that have impacted other vendor systems.
!All accounts identified were on Magento Open Source (formerly Community Edition), and we have communicated to users how to take immediate action and employ preventive measures. We continue to be fully committed to ensuring the security of our merchants and their customers, encouraging all of our merchants to stay up-to-date on security patches and recommended security best practices, found at www.magento.com/security/best-practices, as well as perform malware tests on sites with the Magento Security Scan Tool accessed in their Magento account.”
While we welcome Harris’ statement it doesn’t answer all the issues. For example, he talks about the brute force attack but ignores the use of common and default Magento credentials in the community edition. It would take little effort for Magento to write code that could be inserted into the community edition to force default credentials to be changed. Perhaps that will happen in the next refresh and Harris will announce it in a press release.
Until then, it is important than ANY Magento users make sure they are not using default accounts created by the software. Instead, they need to change the accounts and passwords before allowing anyone to connect to the software.