Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

Danger actors have been located exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce web-sites.

The attack leverages CVE-2024-20720 (CVSS rating: 9.1), which has been described by Adobe as a circumstance of “inappropriate neutralization of exclusive aspects” that could pave the way for arbitrary code execution.

It was dealt with by the corporation as section of security updates unveiled on February 13, 2024.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Sansec reported it found out a “cleverly crafted structure template in the databases” which is currently being utilized to automatically inject destructive code to execute arbitrary commands.

“Attackers incorporate the Magento structure parser with the beberlei/assert deal (mounted by default) to execute technique instructions,” the enterprise mentioned.

“Due to the fact the structure block is tied to the checkout cart, this command is executed whenever /checkout/cart is asked for.”

The command in concern is sed, which is applied to insert a code execution backdoor which is then dependable for providing a Stripe payment skimmer to seize and exfiltrate monetary info to another compromised Magento retail store.

The growth comes as the Russian government has billed 6 individuals for employing skimmer malware to steal credit history card and payment details from foreign e-commerce outlets at the very least given that late 2017.

The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future Information described that the arrests ended up built a yr back, citing court docket paperwork.

“As a outcome, associates of the hacker group illegally took possession of data about virtually 160 thousand payment playing cards of overseas citizens, just after which they bought them through shadow internet web sites,” the Prosecutor General’s Office environment of the Russian Federation explained.

Discovered this short article attention-grabbing? Observe us on Twitter  and LinkedIn to go through more special content we submit.