Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

E-commerce sites using Adobe’s Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023.

The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.

“The attacker seems to be interested in payment stats from the orders in the victim’s Magento store placed in the past 10 days,” Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.

Some of the websites have also been observed to be infected with simple JavaScript-based skimmers that’s designed to collect credit card information and transmit it to a remote server. The exact scale of the campaign remains unclear.

In the attack chains observed by the company, CVE-2022-24086 is weaponized for initial access, subsequently exploiting the foothold to execute malicious PHP code that gathers information about the host and drops a web shell named wso-ng that masquerades as a Google Shopping Ads component.

Not only is the web shell backdoor run in memory, it also activated only when the attacker sends the cookie “magemojo000” in the HTTP request, after which information about the sales order payment methods in the past 10 days is accessed and exfiltrated.

The attacks culminate with the creation of a rogue admin user with the name “mageworx” (or “mageplaza”) in what appears to be a deliberate attempt to camouflage their actions as benign, for the two monikers refer to popular Magento 2 extension stores.

wso-ng is said to be an evolution of the WSO web shell, incorporating a new hidden login page to steal credentials entered by victims. It further integrates with legitimate tools like VirusTotal and SecurityTrails to glean the infected machine’s IP reputation and obtain details about other domains hosted on the same server.

Online shopping sites have been targeted for years by a class of attacks known as Magecart in which skimmer code is inserted into checkout pages with the goal of harvesting payment data entered by victims.

“The attackers have shown a meticulous approach, targeting specific Magento 2 instances rather than indiscriminately spraying their exploits across the internet,” the researchers said.

“They demonstrate a high level of expertise in Magento and invest considerable time in understanding its internals, setting up attack infrastructure, and testing their exploits on real targets.”