CyberWire Daily - Behind the Google shopping ad masks. [Research Saturday]
Episode Date: September 23, 2023Maxim Zavodchik from Akamai joins Dave to discuss their research on "Xurum: New Magento Campaign Discovered." Akamai researchers have discovered an ongoing server-side template injection campaign that... is exploiting digital commerce websites. This campaign targets Magento 2 shops, and was dubbed Xurum in reference to the domain name of the attacker’s command and control (C2) server. The research states "The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component." The research can be found here: Xurum: New Magento Campaign Discovered Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
So as part of our daily threat research job,
we are analyzing the attack logs from traffic passing through Akamai.
In this case specifically, we were hunting for attacks targeting Magento e-commerce platforms.
That's Maxim Zavadchik. He's a threat research director at Akamai.
The research we're discussing today is titled Zurum, New Magento Campaign
Discovered. As we knew, it was a high value target for different financially motivated
cyber gangs in the past. So besides the regular opportunistic scans and commercial vulnerability scanner traffic that we've often seen in our logs, we have also noticed several well-obfuscated HTTP requests targeting some of our e-commerce customers.
Well, let's dig into some of the details here. I mean, who exactly do we suppose is behind this and what are they up to?
is behind this and what are they up to?
So while looking closer at the request payloads,
it was clear for us that there is a well-organized campaign going on.
Judging by the payload,
the attackers seem to have a higher level of sophistication and expertise than the common attackers that we see.
It's not clear who is behind this attack,
but definitely they possess a lot of Magento developer level knowledge and we're targeting specific businesses.
So for folks who may not be familiar, Magento
is an e-commerce platform or utility
to allow people to facilitate taking payments on their websites?
Yeah, Magento, owned now by Adobe, is a
popular e-commerce platform used by many high-traffic shops.
And Magento and other e-commerce platforms are a high target for operations or collections of groups called MagiCard in the recent years.
Those MagiCard specializes in skimming payment data from customers of online shopping cart systems, primarily Magento.
Well, let's dig into some of the details here.
I mean, how exactly is this group going after people who are using Magento?
Yeah, so actually that was interesting here.
So while looking closer at the request payloads,
it was clear for us that it's something going on here.
So the actual attack chain is initiated by trying to exploit the Magento CVE
discovered a year ago and executing obfuscated PHP code.
This code was just a bridge hand to fetch a bigger piece of PHP
from a server named Zurum.
And by the way, the name Zurum we picked for this campaign
is after this domain name.
So this PHP code has more obfuscated code,
which has different exploitation steps.
The first one was collecting technical information
on the Magento system,
such as Magento directories and other information,
and also the encryption key
used to secure sensitive customer data,
such as passwords and payment details.
But besides the technical information,
the attackers were also collecting payment methods information
used in the last 10 days
and exfiltrated those to the Xurum server.
After exfiltrating this information,
they were adding backdoor admin users
with the names MageWorks and MagePlaza,
which is interesting because those are very famous Magento extension stores,
meaning those threat actors are really familiar with the Magento ecosystem.
Once installing those backdoor users,
they were creating a Magento component named Google Shopping Ads,
trying to camouflage their intentions.
And this specific component was quite interesting
because it's not commonly how attackers deploy things.
So if someone will try to browse this component,
they will get an empty response, nothing.
But if you add a special cookie name,
such as MageMojo000,
it will fetch an advanced web shell from GitHub.
And that's also surprising because usually attackers
reuse different public web shells, but they maintain a copy of a web shell
on their own server, while in this case, we have seen
those attackers pointing to a GitHub repository.
And that has different advantages for the attackers.
So one of them is that it's harder to attribute
because it's a public service
rather than an infrastructure rented by the attackers.
Also, a malicious server that hosts the web show
can quickly be taken down by the ISP
if you file an abuse report,
but it's impossible to take down the public GitHub repository.
And another advantage for attackers here
is that every time the attackers exploit a new target,
they fetch the up-to-date version of the web show,
which includes all the recent enhancements done by the author.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are
exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over 500 billion
daily transactions. Hackers can't attack what they can't see. Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Now, is this a case of them taking advantage of organizations who haven't kept up to date with the latest version of Magento?
Yeah, it's kind of unfortunate to see, right?
This vulnerability is at least a year.
I was discovered at least a year ago.
And we still see many threat actors trying to exploit this vulnerability.
And we did find some successful exploitations.
Some of the indirect information we had in the tab payloads,
we've seen a website infected with the web skimmer.
A web skimmer is, think about the digital version of the ATM skinners that were deployed in the past,
where the attackers will infect a web page with a malicious JavaScript that will pop up some credit card
and ask for credit card information exfiltrated to attackers' servers.
What are your recommendations for folks to make sure that they haven't been infected with
this, but also to prevent it? So I don't want to sound like a broken record, but the best way to
protect is always applying the latest patches on time. But I understand that businesses struggle
with this as the number of applications is growing every day and the environment becomes
more dynamic. It's really difficult to maintain your assets and understand the exact versions and
what are the vulnerabilities there. So I do believe security is in layers. So patching
VR definitely is the best solution, but that's hard. So other complementary methods could be
used, such as running daily routines on your database to see whether there are new admin users added, implementing different complementary methods like web application firewall to prevent the initial access vector and the actual CV exploitation, and also client-side inspections to detect skimmers on your website and getting closer to the attacker's business model.
How do you rate the sophistication of this group?
Yeah, definitely those are not the common attackers.
Definitely they show higher level of expertise.
On the technical side, I would say while reading the malicious code,
one can clearly see they possess Magento developer-level knowledge
and are very familiar with the Magento internals,
like the Magento database structure and all the nuances of Magento add-ons.
The backdoor users, as I mentioned, that they name and create
are after well-known Magento extension stores,
MagePlus and MageWorks, which shows
their familiarity with the Magento ecosystem. On the operations side, I think they also
outstand. And while many campaigns are spraying the internet with exploits, hoping something
will stick, those attackers are more patient and carefully picking their targets. I believe
that's what helped them to make this operation undetected for so long.
Do you have any sense for how widespread this is or what level of success they've had?
It's very difficult for me to tell the exact numbers here
because our customers seem to be successfully mitigating those vulnerabilities,
those exploit attempts.
But it seems like this campaign was very targeted,
so it's not clear how many targets, where the targets were,
and how they were profiling their targets.
When you look at the big picture here,
I mean, organizations like this
who are coming after these e-commerce platforms,
is that an area where we're seeing growth or are folks getting on top of this or are things staying the same? What's your sense? to monetize on the digital assets, but also the defense technology advances
and provides more automation,
more insights to the defenders.
Our thanks to Maxim Zavadchik
from Akamai for joining us.
The research is titled Zurum, New Magento Campaign Discovered.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. Technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.