Researchers issued a warning of a campaign targeting the CVE-2022-24086 vulnerability in Magento2, a open source e-commerce platform owned by Adobe
In February 2022, Adobe rolled out security updates to address the critical CVE-2022-24086 flaw with a CVSS score of 9.8 affecting its Commerce and Magento Open Source products, it was actively exploited in the wild at that time.
The flaw is an improper input validation vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.
Now a new wave of attacks targeting the Magento 2 vulnerability, three types of attack detailed by researchers.
The first attack pattern starts by creating a new customer account and an order placement on the vulnerable system. The attackers use a malicious template code in the first and last names and to place the order.
On execution, the code downloads a Linux executable called “223sam.jpg” and launches it as a background process called cli, which is a RAT. The malware run in memory and creates a state file lg000, then polls a remote server hosted in Bulgaria for commands.
Second variant of the attack injects the health_check.php backdoor. The attacker injects the placed order containing a specific template code in the VAT field. The code creates a the file “pub/media/health_check.php” that accepts commands via POST requests.
A third attack variation of the attack replaces generated/code/Magento/Framework/App/FrontController/Interceptor.php with a tainted version.
It is recommend the Magento 2 site admins to upgrade their software to the latest version.
This research was documented by researchers from Sansec security firm