A significant cybersecurity breach has exposed Magento-powered online stores to a large-scale supply chain cyberattack. The vulnerability, found by researchers at Sansec, was hidden in e-commerce software used by thousands of merchants. While introduced over six years ago, they were only recently been activated, allowing hackers to take full control of affected websites. Currently between 500 and 1,000 online stores are potentially running the backdoored software.
A supply chain cyberattack is a cyberattack where hackers compromise a software vendor’s system, rather than targeting individual stores. Once attackers gain access to the vendors’ systems, they’re able to inject malicious code into the software packages, which are distributed to the stores that relied on these tools.
Magento is an open-source ecommerce platform by Adobe widely used by businesses (including medium and large-scale) to build and manage online stores known for its flexibility, range of tools and extensions, and scalability. With many e-commerce stores relying on Magento, any vulnerability in the platform or its extensions could affect thousands globally.
In this instance, hackers successfully planted backdoor malware in several popular Magento extensions used by online stores. The compromised code was introduced between 2019 and 2022 but remained dormant until recently, when attackers began exploiting it.
Which Extensions Are Affected?
The malware was found in several widely-used Magento extensions, including those that handle critical e-commerce functions such as shopping carts, product comparisons, and customer engagement. The affected extensions include:
- Tigren: Extensions for Ajax shopping carts, product comparison tools, and wishlists
- Meetanshi: Extensions for cookie notices, currency switches, and other customer-facing tools
- MGS (Magesolution): Extensions for product tabs, blogs, delivery times, and more
- Weltpixel: A Google Tag Manager extension (although it’s unclear if this particular extension was fully compromised)
These extensions are used by thousands of Magento-powered stores worldwide, meaning the breach could potentially impact a significant portion of the e-commerce online store community.
How Does It Work
The malware found is hidden in files named “License.php” or “LicenseApi.php”, which are typically used to verify the validity of a store’s software license. These files, however, were altered to allow attackers to remotely execute malicious PHP code and gain unrestricted access to the store’s backend.
In older versions of the software, the attackers didn’t need authentication to activate the backdoor. In more recent versions, a secret key was required, but the attackers were able to obtain it. Once activated, the malware gave hackers complete control over the store’s backend, allowing them to steal data, manipulate orders, and potentially compromise customer information.
If you’re a Magento store owner or webmaster, and utilizing such or similar extensions, review your site and:
- Check for Malicious Files: Look for License.php, LicenseApi.php or similar files in your store’s backend. These are the files where the backdoor resides.
- Run Security Scans: Use security tools like Sansec’s eComscan or Sucuri, which are designed to detect specific vulnerabilities in Magento-based sites.
- Update Your Extensions: Ensure that all Magento extensions are up-to-date. Many updates include important security patches that can help protect your store from future attacks.
For detailed information, including the specific affected versions and ongoing updates, you can visit Sansec’s official post here.
This recent ecommerce security breach is a reminder of the risks associated with third-party extensions. As cyberattacks continue to evolve, online stores need to stay proactive about securing their platforms and dependencies. By keeping software up-to-date, running regular security scans, and taking swift action if an issue arises, you can protect your store from similar threats in the future.
Leave a Reply