E-commerce sites that use Adobe’s Magento 2 software have been targeted by an ongoing attack campaign since at least January 2023. The attacks, dubbed Xurum by Akamai, exploit a critical security vulnerability (CVE-2022-24086) in Magento 2 that could allow attackers to execute arbitrary code.
The attackers behind the Xurum campaign are believed to be of Russian origin. They have shown particular interest in the payment statistics from orders placed within the past 10 days on the victim’s Magento store. Furthermore, it has been discovered that certain websites being targeted also contain uncomplicated JavaScript-based skimmers, which gather credit card details and send them to a distant server.
The Xurum attack chain typically begins with the attacker exploiting the CVE-2022-24086 vulnerability to gain initial access to the victim’s Magento site. Once they have access, the attackers deploy a web shell called wso-ng. This web shell disguises itself as a Google Shopping Ads component and can be used to steal sensitive information, such as credit card numbers and passwords.
The attackers also create a rogue admin user. This is done to make it appear as if the attack was carried out by a legitimate Magento user.
The wso-ng web shell is a powerful tool that can be used to do a lot of damage. In addition to stealing sensitive information, it can also be used to install malware, modify files, and take control of the victim’s server.
The Xurum attack campaign is a reminder of the importance of keeping Magento sites up to date with the latest security patches. If you are using Magento 2, it is important to install the security patch for CVE-2022-24086 as soon as possible. You should also monitor your site for signs of infection, such as unusual traffic patterns or changes in the website’s behavior.
CyberSec84 | Cybersecurity news. 
Leave a comment