Since at least October 2018, multiple hacking groups have been abusing a previously unknown security flaw in a database management tool to take over online stores and insert malicious code that steals payment card details from checkout forms.
The attacks have been spotted by Dutch security researcher Willem de Groot, who says that several high-profile stores for governments and multinational companies have been hacked this way and injected with card skimmers.
In a report shared with ZDNet earlier today, de Groot says he initially spotted this trick being used by multiple groups engaged in Magecart-like attacks last year.
However, it took the researcher a few months before understanding what was happening on the hacked sites, and how attackers were breaking into companies' seemingly secure online stores.
According to de Groot, at fault is a tiny little web app named Adminer, a tool that lets web developers and site owners manage a database via a graphical user interface (GUI), inside their browser.
Website owners install Adminer on their servers to simplify database management, or the tool is secretly included with various plugins for Magento and WordPress, two popular online store solutions.
The app can be password-protected, but many admins fail to set a password. The app can also let admins use it to connect to any remote MySQL database, not just the one hosted on the server where Adminer is installed.
De Groot says he identified what appears to be a new vulnerability in this app, which crooks have been abusing since last October.
Hackers exploit this vulnerability by identifying unprotected adminer.php files that are left open to remote connections, and later using it to connect to their own MySQL servers.
While connected to their own databases, but via a victim's Adminer tool, hackers can trick the app into retrieving any file from the victim's server.
De Groot says hackers have been using this trick to download database configuration files for online stores. These files contain the username and password for the stores' underlying databases, which hackers then use to inject the skimmer code that steals card details, and possibly other backdoors.
"Because different Magecart factions use it, I suspect that the modified MySQL server is for sale on the dark web," the researcher said about the possibility that some of these sites being also offered for sale to multiple cybercriminal gangs.
De Groot says that all Adminer versions from 4.3.1 to 4.6.2 are vulnerable. The last two Adminer releases, 4.6.3 and 4.7.0, are safe.
"It is unclear whether the security flaw was fixed deliberately or by accident, as Adminer does not mention a security release," the researcher said.
De Groot now warns website owners to protect their Adminer instances. He says that through the various honeypots and the customer sites that he manages, he has recently seen a spike in scans for Adminer-specific files, which are most likely attempts from hacker groups to find more victims.