Magecart group leverages zero-days in 20 Magento extensions

Security researcher asks for help in identifying all vulnerable Magento extensions. Only two of 20 currently identified.

Hackers are (ab)using unpatched zero-day vulnerabilities in approximately 20 Magento extensions to plant payment card skimmers on online stores, according to Dutch security expert Willem de Groot.

The researcher has been tracking this recent campaign but has only identified two of the 20 extensions that hackers are targeting.

He's now asking the wider infosec and web development community for help in identifying the other 18 extensions, so he can notify developers and have the zero-days fixed.

The researcher has listed a series of URL paths through which hackers have been exploiting the zero-days to gain footholds on stores running the vulnerable extensions. The URL paths are as follow:

POST /index.php/advancedreports/chart/tunnel/
POST /index.php/aheadmetrics/auth/index/
POST /index.php/ajax/Showroom/submit/
POST /index.php/ajaxproducts/index/index/
POST /index.php/bssreorderproduct/list/add/
POST /index.php/customgrid/index/index/
POST /index.php/customgrid/Blcg/Column/Renderer/index/index/
POST /index.php/customgrid/Blcg_Column_Renderer_index/index/
POST /index.php/customgrid/index/index/
POST /index.php/emaildirect/abandoned/restore/
POST /index.php/freegift/cart/gurlgift/
POST /index.php/gwishlist/Gwishlist/updategwishlist/
POST /index.php/layaway/view/add/
POST /index.php/madecache/varnish/esi/
POST /index.php/minifilterproducts/index/ajax/
POST /index.php/multidealpro/index/edit/
POST /index.php/netgocust/Gwishlist/updategwishlist/
POST /index.php/prescription/Prescription/amendQuoteItemQty/
POST /index.php/qquoteadv/download/downloadCustomOption/
POST /index.php/rewards/customer/notifications/unsubscribe/  [Alreadu identified as "TBT_Rewards"]
POST /index.php/rewards/customer_notifications/unsubscribe/  [Alreadu identified as "TBT_Rewards"]
POST /index.php/rewards/notifications/unsubscribe/  [Alreadu identified as "TBT_Rewards"]
POST /index.php/simplebundle/Cart/add/      [Already identified as "Webcooking_SimpleBundle"]
POST /index.php/tabshome/index/ajax/
POST /index.php/vendors/credit/withdraw/review/
POST /index.php/vendors/credit_withdraw/review/
POST /index.php/vendors/withdraw/review/

Webcooking, the maker of the Webcooking_SimpleBundle Magento extension, one of the two extensions de Groot has already identified by name, has already shipped out a fix, hours after the researcher reached out.

The second extension identified by name was TBT_Rewards, which has been abandoned a few months back, and which should be uninstalled from all stores due to the current security risk.

As this article ages, a more accurate list of affected extensions will be kept up-to-date on de Groot's website, here.

Extension developers are to blame

According to de Groot, all the zero-day affecting the 20 extensions are practically the same but merely found in 20 different places.

"While the extensions differ, the attack method is the same: PHP Object Injection (POI)," de Groot said in a technical report published today.

He says attackers are abusing the PHP unserialize() function to insert malicious code inside the victim's site.

This particular type of attack isn't exactly new or novel. The Magento e-commerce platform itself was once affected by this very same issue, which has received the CVE-2016-4010 identifier.

The Magento team fixed this vulnerability by replacing the PHP unserialize() function with json_decode() in patch SUPEE-8788, released in October 2016.

But according to de Groot, many extension developers didn't follow the Magento team's example and have left instances of the PHP unserialize() function inside their code, leaving Magento stores exposed to this attack, even if they applied the SUPEE-8788 patch years before.

"Core platforms tend to be pretty good, it's just the plugins that keep messing up," said Yonathan Klijnsma, a threat researcher at RiskIQ and one of the experts who's been tracking these type of attacks alongside de Groot.

"Plugin writers don't always have a security mindset for writing these plugins, it's more about the functionality of their plugin," Klijnsma told ZDNet today.

Hackers are creating fake checkout forms

The group employing this collection of Magento extension zero-days is one of the groups tracked under the umbrella term of Magecart.Magecart attacks have been happening for the past three years, but they have intensified and grew bolder this year after some attacks impacted larger entities, such as Ticketmaster, British Airways, and Newegg.

While initially there was only one Magecart group behind attacks, several different actors are now active using the same modus operandi.

De Groot says the group behind the Magento extensions zero-days campaign is also quite clever. The hackers aren't content with injecting a script on hacked that steals payment card data from checkout forms, like most other Magecart groups.

In cases where the store owner handles card payments via external providers (such as PayPal or Skype) or doesn't handle card payments at all, this group will redirect store visitors to a fake checkout form that they created on purpose.

The group uses this fake checkout form to collect payment card details, maximizing their efforts, even on stores that other Magecart groups would have considered worthless.

RELATED CYBERSECURITY COVERAGE: