- PolyShell Vulnerability in Magento/Adobe Commerce Mass Exploited, Affecting Over Half of Vulnerable Stores
- Attackers deploy a new WebRTC-based credit card skimmer to avoid security checks
- Compromised versions targeted since March 19, including high-value e-commerce sites
PolyShell, a recently discovered vulnerability in certain Magento Open Source and Adobe Commerce installations, is now being actively used in attacks against a wide range of websites, researchers warn.
A new vulnerability affecting stable version 2 installations of the above software has been found, allowing threat actors to execute malicious code without authentication and take over user accounts.
Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.
The article continues below
The goal is a $100 billion company
At the time, security researchers Sansec advised site administrators to restrict access to pub/media/custom_options/ folders, verify that nginx or Apache rules prevent access, and scan stores for uploaded malware and backdoors.
They also said there was initially no evidence of abuse in the wild, but stressed that an exploit method was “already circulating”.
Now it seems the predictions were true as Sansec says more than half of all vulnerable stores are targeted.
“Mass exploitation of PolyShell started on March 19, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving an insignificant number of targeted sites.
In some attacks, threat actors would deploy a credit card skimmer that had not been seen before. This skimmer apparently uses Web Real-Time Communication (WebRTC) to exfiltrate data, which is a fairly new approach. As BleepingComputer explained, WebRTC uses DTLS-encrypted UDP rather than HTTP, which makes it better at bypassing security checks “even on sites with strict Content Security Policy (CSP) checks like ‘connect-src’.”
Built in JavaScript, the skimmer connects to a hardcoded C2 server from which it receives a second-stage payload. It was first seen on an e-commerce site belonging to a carmaker valued at over $100 billion.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
