Posted on June 13, 2019 at 1:27 PM
The new wave of hacking attacks seems to be focusing heavily on Magento 2.x stores, as the number of cyber attacks against them more than doubles with each passing month. So far, researchers have determined that two hacking groups are responsible for the attacks.
Originally, the rise of hacking attacks started in March, only to double by the time April had arrived. Then, this number of attacks surged yet again from April to May. The situation in June does not appear to be better, either, and it has yet to be seen whether or not something can be done about the attacks.
According to researchers, the surge in hacks comes due to the discovery of a security bug in Magento 2.x content management system. The flaw, known as PRODSECBUG-2198, caused many to start abusing it in order to damage the shopping sites.
This particular vulnerability is an SQL injection flaw in the CMS used by Magento. As such, it can be exploited remotely, from a distance, and it allows unauthenticated attackers to gain access to vulnerable websites, and even pull off a complete takeover.
The flaw was discovered a while ago, and the store chain’s team actually patched it back in March of this year. However, it does not seem like this changed things much, as a new wave of attacks kicked off only about 16 hours after the patch had been released.
The situation quickly worsened further, after the company who originally discovered the bug — Ambionics — published proof-of-concept code. The code was released only around two days after the patch was published, and store owners did not have enough time to implement the patch.
As one Twitter comment mentioned, the tool for exploiting the bug was released on a Friday, barely two days after the patch, and the exploits of still-unpatched sites surged rapidly. The number of hacked Magento sites doubled every month ever since, and hackers were even infecting them with malware which stole card data from customers which continued purchasing the sites’ products.
According to the founder of Sanguine Security, Willem de Groot, he ran daily scans on the top million websites in order to check for unusual and suspicious activities. This had allowed him to uncover the malware and verify its existence and use. Despite the fact that there are numerous hacking groups that are exploiting the flaws, de Groot claims that the majority of security breaches were made by two specific groups.
The two groups are responsible for 90% of the attacks, with one of them making 70% of the breaches, and the other the remaining 20%. Not only that, but he also discovered that the group responsible for 70% of the breaches is the same one that was responsible for the Puma Australia attack. The said group also supports skimming of more than 50 global payment services.
De Groot also warns that getting rid of the skimmers is extremely difficult, especially after they managed to find their way in. According to his estimations, around 20% of invected merchants tend to be reinfected within two weeks.
To help combat the increasing number of attacks, de Groot published tips on how to deal with hacked sites, and he helped apply Magento stores to new versions, containing the fix for the vulnerability. He also published advise regarding additional methods of protection that Magento stores might want to employ in order to reduce the number of hacks in the future.
So far, the attacks have continued to grow, and it remains unclear as to who exactly is behind them. Neither of the hacking groups has been identified as of yet, and there is a chance that hackers might keep their identities anonymous even after the incidents eventually stop.
Meanwhile, this serves as yet another example of why it is crucial for people and businesses to implement updates to their software as soon as it gets released. New vulnerabilities are being discovered all the time, and not applying the fix — especially when one has been out for months — can only lead to further damage and new incidents.