Newly discovered utility provides way to plant backdoors in e-commerce back end systems
UPDATED Security researchers have discovered a post-compromise tool that enables attackers to view orders, gain administrative access, and create additional backdoors on Magento-powered websites.
Called ‘Forbidden’, the tool is also effective at concealing telltale indicators of compromise, according to a blog post by web security company Sucuri.
Forbidden can be used in both Magento 1 and Magento 2 environments, the older of which reached its end of life on June 30.
Luke Leal, a malware researcher at Sucuri, said malicious hackers have been busy developing post-compromise tools in the knowledge that “websites are straggling with their Magento migrations”.
A recent scan of around 240,000 Magento merchants around the world by cybersecurity firm Foregenix found that nearly 200,000 e-commerce websites have yet to migrate to Magento 2.
Published on August 24 the scan results (PDF) also revealed that 94% of Magento 1 installations, and 46% of Magento 2 builds, have either already been hacked or pose a ‘high’ risk of being compromised because of unaddressed security shortcomings.
Forbidden “allows an attacker to quickly perform a number of malicious functions including adding an admin user, modifying existing users, viewing orders, dumping the website’s configuration data, and removing itself once the attacker is finished with it,” explains Leal.
The dump function allows the attacker to rapidly acquire the configuration file and database configuration information such as admin username, email address, and the password hash. Attackers can also access the encryption key used by Magento for encrypting store data.
“It requires little technical skill to actually use [the tool] as the PHP code does the SQL queries and version detection,” Leal tells The Daily Swig. “All the user has to do is input or click HTML elements.
“From time to time we will come across Magento malware like this that has a loadable HTML UI and [is] very simplified, but this is the first malware sample we have seen that also uses the version detection.”
Benjamin Hosack, co-founder and director at Foregenix, told The Daily Swig that “this malware code has been in operation since at least as early as March last year, with various different names. No doubt different derivatives of it are being used widely though.”
Concealing indicators of compromise
In the blog post, he says that “it’s in an attacker’s best interest to maintain unauthorized access to the site’s environment for as long as possible, and backdoor tools such as these help them exploit a website’s resources, evade detection, and conceal indicators of compromise.”
He discovered Forbidden via a backdoor “found on a compromised Magento website using version 1.9.x,” he tells The Daily Swig. “The website was in the process of migrating” to Magento 2, “so it’s possible the attacker is aware of this and created the backdoor to try and maintain unauthorized access through the migration.”
He also says in the blog post: “This tool also facilitates the creation of malicious users, essentially creating other backdoors on the website’s environment.”
A proactive approach to security is therefore imperative.
“Finding and removing website backdoors is not an easy task,” he explains. “The best way to mitigate risk of having a backdoor planted in your Magento environment is to harden your environment to protect against compromise in the first place.”
Of the Magento websites scanned by Foregenix, 271 sites were infected with malicious code loaders, while 167 had payment card skimmer malware installed. Of those infected by card harvesting malware, 79.9% were running Magento 1 and 20.1% were powered by Magento 2.
At current migration rates, attackers will have plenty of Magento 1 sites to target for some time to come. The Daily Swig reported on July 15 that around 201,000 environments were still running Magento 1, only marginally down from 206,000 on May 27.
The malicious code deployed by Forbidden differs depending on the release line installed.
Optimizing attacks to the relevant version “is especially important when Forbidden needs to run SQL queries on the Magento database – for example, when adding a malicious admin user the tool uses an if/else statement based on the value of $isM2 (whether it’s Magento 1 or 2),” says Leal.
The tool determines which Magento version a website is running by checking the Magento configuration file.
This article was updated on August 29 with comments from Luke Leal of Sucuri, and on September 2 with comments from Foregenix