At least seven hacker organizations are responsible for a large increase in ‘TrojanOrders’ attacks against Magento 2 websites. Which exploits a vulnerability that allows threat actors to infect vulnerable servers.
Sansec, a website security firm, said that the assaults are targeting nearly 40% of Magento 2 websites, with hacker gangs battling for control of an affected site.
The trend is predicted to continue as we approach Christmas when internet retailers are at their most essential and vulnerable.
The TrojanOrders attack
The TrojanOrders attack is named after the major Magento 2 CVE-2022-24086 vulnerability. It allows unauthenticated attackers to execute code and inject RATs (remote access trojans) on unpatched websites.
Adobe patched CVE-2022-24086 in February 2022, although Sansec claims that many Magento sites are still vulnerable.
“Sansec estimates that at least one-third of all Magento and Adobe Commerce stores have not patched so far,” as per eCommerce firm SanSec.
Hackers often create an account on the target website and place an order that contains malicious template code in the name, VAT, or other fields while performing TrojanOrders attacks.
For example, the assault will inject a copy of the site’s ‘health_check.php‘ file. Which has a PHP backdoor that can execute commands supplied via POST requests.
Once on the website, the attackers install a remote access Trojan to get permanent access and the capacity to do more complex acts.
Sansec detected attackers scanning for the presence of ‘health_check.php’ upon breach to identify if another hacker had previously attacked the site and, if so, replaced the file with their own backdoor.
Why is there a Rise After a Long Time?
Analysts at Sansec think there are many causes for the increase in assaults targeting this vulnerability.
First, even 10 months after the update’s release, a huge percentage of Magento 2 sites remain vulnerable to these assaults.
Second, PoC (Proof of Concept) exploits are long accessible, allowing exploit kit developers to include them in their tools and profit by selling them to unskilled hackers.
These Magento vulnerabilities are so plentiful that they can purchase for as little as $2,500. They will cost between $20,000 and $30,000.
Finally, the timing of these assaults is optimal, since websites are seeing greater traffic as a result of the holiday season, making rogue orders and code injections more likely to notice.
How to Safeguard Your Website and Customers
If you haven’t already, you should apply the security update that fixes CVE-2022-24086 as soon as possible.
Examine orders for evidence of a TrojanOrder attack, such as template code in order forms or orders sent by anonymous email accounts utilizing Protonmail, Tutanota, and so on.
Finally, utilize a backend malware scanner to identify any previous infections that may result in RAT injections on your website.
According to Sansec, Magento’s official tool, Security Scan, only scrapes the front end and hence cannot detect TrojanOrders.
As a result, the security business provides one month of free access to its scanner to assist administrators in cleaning up sites.
Remember that identifying and uninstalling malware and PHP backdoors would only prevent future infections if the Magento 2 patches are deployed, therefore this is still the most important step.
Also Read: Installing Magento Patches in Different Ways
An Actionable Magento 2 security checklist
When it comes to the eCommerce platform, none of the stores are completely safe. Hackers find a pain spot and perform a cybercrime. Setting up a Magento 2 store may be less difficult. However, it is tough to protect your internet business from hackers and cyber-attacks.
A shop website is a location where hackers steal and utilize data such as bank information. This sort of information may be detrimental to both shop owners and customers. Not only have consumers’ personal and financial information compromised; retailers may suffer significantly.
We adopt modern eCommerce stores to increase the security of online stores. Through our Magento support services, we make every effort to make sure that security is at the highest level.