- PolyShell vulnerability in Magento/Adobe Commerce is massively exploited and affects more than half of vulnerable stores
- Attackers deploy novel WebRTC-based credit card skimmer to bypass security controls
- Compromised versions attacked since March 19, including high-value e-commerce sites
PolyShell, a vulnerability recently discovered in certain installations of Magento Open Source and Adobe Commerce, is now being actively used in attacks against a large number of websites, researchers warn.
A new vulnerability has been found affecting stable installations of version 2 of the aforementioned software, allowing threat actors to execute malicious code without authentication and take over user accounts.
Adobe patched it, but the fix was only available in the second alpha version for version 2.4.9, meaning production versions were still vulnerable.
Article continues below.
Targeting a $100 billion company
At the time, Sansec security researchers advised website administrators to restrict access to the pub/media/custom_options/ folders, check for nginx or Apache rules preventing access, and scan vaults for uploaded malware and backdoors.
They also said there was initially no evidence of abuse in the wild, but emphasized that one method of exploitation was “already circulating.”
It now appears that the predictions were true, as Sansec says that more than half of all vulnerable stores are being attacked.
“The massive PolyShell exploit began on March 19 and Sansec has found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
In some of the attacks, threat actors would deploy a credit card skimmer that had not been seen before. This skimmer apparently uses Web Real-Time Communication (WebRTC) to filter data, which is a fairly novel approach. As BleepingComputer explained, WebRTC uses DTLS-encrypted UDP instead of HTTP, making it better at evading security controls “even on sites with strict Content Security Policy (CSP) controls like ‘connect-src’.”
The skimmer was built in JavaScript and connects to an encrypted C2 server, from which it receives a second-stage payload. It was first seen on an e-commerce website belonging to an automaker valued at more than $100 billion.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
