430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Thousands of Magento websites compromised to serve malware

Security experts have discovered that thousands of websites running the eBay’s Magento e-commerce platform have been compromised and used to deliver malware. Security experts at Sucuri have discovered a malware campaign that targeted a large number of websites the eBay Magento e-commerce platform. The same campaign was also monitored by the researchers at Malwarebytes which focused their analysis […]

Magento 2.3.4

Security experts have discovered that thousands of websites running the eBay’s Magento e-commerce platform have been compromised and used to deliver malware.

Security experts at Sucuri have discovered a malware campaign that targeted a large number of websites the eBay Magento e-commerce platform. The same campaign was also monitored by the researchers at Malwarebytes which focused their analysis on the client side.

According to the security experts, the attackers compromised websites running Magento and injected malicious scripts that were used to create iframes from the “guruincsite.com” domain.

The threat actors compromised Magento installations by exploiting a zero-day directory traversal flaw in the third-party mass importer tool Magmi.

The guruincsite domain is known to security firms, according to the Google Safe Browsing the domain has been used to infect more than 8,000 domains. The domain was also used to host a Neutrino exploit kit used to serve a malware.

“The name ‘guruincsite‘ was also familiar to us because it happened to be part of the redirection infrastructure in our ‘neitrino‘ campaign. It turned out that this was the same attack Sucuri was seeing on the server side as what we were seeing on the client side via web exploits.” states the blog post published by Malwarebytes.

The specific campaign uncovered by the experts relies on the Neutrino Exploit Kit to deliver the Andromeda/Gamarue malware triggering a Flash Player vulnerability.

Neutrino exploit kit on guruincsite Magento campaign

Denis Sinegubko from Sucuri explained that Magento website administrators can discover the infection by checking the design/footer/absolute_footer entry in the core_config_data table.

“The malware is usually injected in the design/footer/absolute_footer entry of the core_config_datatable, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.” states the blog post from Sucuri.

Magento e-commerce platform is a privileged target for cybercriminals, in April experts at Sucuri reported another malicious campaign that was exploiting a flaw within 24 hours after its disclosure.

In June, the researchers from Sucuri discovered a malicious code used by criminals to syphon payment card data from websites based on the Magento e-commerce Platform.

Pierluigi Paganini

(Security Affairs –  Magento, cybercrime)