Note: Sparse on technical details due to ongoing investigations, this post is just a commentary
As a Systems Administrator, I’ve seen many kinds of web application compromises. From WordPress, to Joomla, to OSCommerce, you name it.
As of recently, a new kind of vulnerability has arisen for the popular Magento ecommerce platform, aptly called “Shoplift” This bug has some serious nastyness that allows for some very bad things to happen to an unpatched site, the exploit itself allows:
- Authentication Bypass
- Remote File Inclusion/Remote Code Execution (mostly due to auth bypass)
- SQL Query Injection
Differences in the usual compromise
This Magento exploit poses a rather different kind of threat than the ususal dime-a-dozen wordpress and joomla sites have, Observing some activity, and indeed corelating with other’s discoveries, (namely Sucuri) I’m noticing something rather different about wild exploitations of shoplift, here’s what I can see and my thoughts on it.
- Rare that webshells and other specific malicious files are being uploaded.
While i have seen it in this particular exploit in the wild, it does not appear to be anything more than access persistance that is then sold on to do bad things (like spamming)
- Attackers are attempting to remain low profile.
As with above, noting they’re not leaving traces of their presence that particular anti-virus and web application firewalls can mitigate, they are mostly using parts of the site to their advantage, or are installing innocuous plugins to acheive their goal.
- Changes to core code are very subtle and ususally try to blend in with the other site functions.
Backdoor access to administrative functions via very slight changes to code have been observed.
- The focus appears to be that of Customer information and sensitive financial details.
Given the nature of information that a Magento site will see and store, I think it is highly likely this exploit is going to attract the internet’s seedy underbelly of Privacy Theft, Credit Card Fraud, and other very malicious and serious offences, and given what I have seen so far, gives me high confidence of this being the case.
- A very dedicated core group set to work getting access only days after the details of the exploit were disclosed by the discovering party.
As in the sucuri blog, these two Russian IPs have been very busy.
- Even after a site is patched, admin credentials belonging to attackers can still be present in a database.
This leads to the next part of this post.
What you need to do as a Magento site maintainer/developer
Even if you have applied a patch, audit your administrator logs, and administrator user accounts!
If in doubt , it’s probably malicious. Engage a company like sucuri to look for malware and malicious modifications to site code, or completely re-install the core site files.
Observe what your customers are saying. If they report that they are receiving emails perporting to be your business asking for credit card details, you got an issue.
In conclusion, a major exploit and very wide-spread attacks were only a matter of time for Magento, as with any popular web application. The implications however are extremely serious, and I would be unsurprised to hear of future major credit card breaches similar to the PoS Malware on Target and other US retail/resturant chains, and the major breaches of sites using unpatched Coldfusion installations.
Keep watching your logs.
- https://shoplift.byte.nl/ – what is shoplift?
- https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html – Sucuri reporting of exploits in the wild.
- http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches – Advice (For Australian companies) on how to handle privacy breaches.
- http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ – Details into serious breaches of information on ColdFusion sites used for ecommerce.