June 13, 2019 at
The new wave of hacking attacks seems to be focusing heavily on Magento 2.x stores, as the number of cyber attacks against them more than doubles with each passing month. So far, researchers have determined that two hacking groups are responsible for the attacks.
Originally, the rise of hacking attacks
started in March, only to double by the time April had arrived. Then, this
number of attacks surged yet again from April to May. The situation in June
does not appear to be better, either, and it has yet to be seen whether or not
something can be done about the attacks.
According to researchers, the surge in hacks
comes due to the discovery of a security bug in Magento 2.x content management
system. The flaw, known as PRODSECBUG-2198, caused many to start abusing
it in order to damage the shopping sites.
This particular vulnerability is an SQL injection flaw in the CMS used by Magento. As such, it can be exploited remotely, from a distance, and it allows unauthenticated attackers to gain access to vulnerable websites, and even pull off a complete takeover.
The flaw was discovered a while ago, and the
store chain’s team actually patched it back in March of this year. However, it
does not seem like this changed things much, as a new wave of attacks kicked
off only about 16 hours after the patch had been released.
The situation quickly worsened further, after
the company who originally discovered the bug — Ambionics — published
proof-of-concept code. The code was released only around two days after the
patch was published, and store owners did not have enough time to implement the
As one Twitter comment mentioned, the tool for
exploiting the bug was released on a Friday, barely two days after the patch,
and the exploits of still-unpatched sites surged rapidly. The number of hacked
Magento sites doubled every month ever since, and hackers were even infecting
them with malware which stole card data from customers which continued
purchasing the sites’ products.
According to the founder of Sanguine Security,
Willem de Groot, he ran daily scans on the top million websites in order to
check for unusual and suspicious activities. This had allowed him to uncover
the malware and verify its existence and use. Despite the fact that there are
numerous hacking groups that are exploiting the flaws, de Groot claims that the
majority of security breaches were made by two specific groups.
The two groups are responsible for 90% of the
attacks, with one of them making 70% of the breaches, and the other the
remaining 20%. Not only that, but he also discovered that the group responsible
for 70% of the breaches is the same one that was responsible for the Puma
Australia attack. The said group also supports skimming of more than 50 global
De Groot also warns that getting rid of the
skimmers is extremely difficult, especially after they managed to find their
way in. According to his estimations, around 20% of invected merchants tend to
be reinfected within two weeks.
To help combat the increasing number of
attacks, de Groot published tips on how to deal with hacked
sites, and he helped apply Magento stores to new versions, containing the fix
for the vulnerability. He also published advise regarding additional methods of
protection that Magento stores might want to employ in order to reduce the
number of hacks in the future.
So far, the attacks have continued to grow,
and it remains unclear as to who exactly is behind them. Neither of the hacking
groups has been identified as of yet, and there is a chance that hackers might
keep their identities anonymous even after the incidents eventually stop.
Meanwhile, this serves as yet another example of why it is crucial for people and businesses to implement updates to their software as soon as it gets released. New vulnerabilities are being discovered all the time, and not applying the fix — especially when one has been out for months — can only lead to further damage and new incidents.