- PolyShell vulnerability in Magento/Adobe Commerce exploited en masse, affecting more than half of vulnerable stores
- Attackers deploy new WebRTC-based credit card skimmer to evade security controls
- Compromised versions targeted since March 19, including high-value e-commerce sites
PolyShell, a vulnerability recently discovered in some Magento Open Source and Adobe Commerce installations, is now actively used in attacks against a large number of websites, researchers warn.
A new vulnerability has been discovered affecting stable installations of version 2 of the software mentioned above, allowing malicious actors to execute malicious code without authentication and take control of user accounts.
Adobe fixed it, but the fix was only available in the second alpha release of 2.4.9, meaning production builds remained vulnerable.
Article continues below
Targeting a $100 billion company
At the time, Sansec security researchers advised website administrators to restrict access to pub/media/custom_options/ folders, check that nginx or Apache rules prevent access, and scan stores for downloaded malware and backdoors.
They also said that initially there was no evidence of abuse in the wild, but stressed that a method of exploitation was “already circulating.”
It now appears that these predictions have proven true, as Sansec claims that more than half of all vulnerable stores are being targeted.
“Massive PolyShell exploitation began on March 19 and Sansec has now detected PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
In some attacks, malicious actors deployed a never-before-seen credit card skimmer. This skimmer apparently uses real-time web communication (WebRTC) to exfiltrate data, which is a rather novel approach. As BleepingComputer explains, WebRTC uses DTLS-encrypted UDP rather than HTTP, which allows it to better evade security controls “even on sites with strict Content Security Policy (CSP) controls like ‘connect-src.’
The skimmer was built in JavaScript and connects to a hardcoded C2 server, from which it receives a second-stage payload. It was first spotted on an e-commerce site owned by an automaker valued at over $100 billion.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
