Magento eCommerce websites running on the popular open-source platform has been attacked by cyber criminals who are using brute-force password to hack admin panels to steal credit cards information and install malware that mines cryptocurrency.
Researchers at Flashpoint are aware of the hack of at least 1,000 Magento panels and said that interest in the platform has continued unabated on entry-level and top-tier deep and Dark Web platforms since 2016. Hackers have also demonstrated continued interest in other popular eCommerce-processing content management systems such as Power front CMS and OpenCart.
The Magento eCommerce websites are being hacked by brute-force attacks using common and known default Magento credentials. Brute-force hacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Cybercriminals, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access to the admin panels.
Once the hackers have control of the site’s Magento CMS admin panel, they have unfettered access to the website and the ability to add any script they choose. In this case, the attackers were injecting malicious code into the Magento core file, allowing them access to pages where payment data is processed. Post requests to the server containing sensitive data are then intercepted and redirected to the attacker.
Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog, cryptocurrency miner. The hackers are keen on avoiding detection and update the malicious files daily to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.
Most of the victims among the 1,000 admin panels it is aware of are in the education and healthcare industries and that the IP addresses of the compromised admin panels map to locations in the U.S. and Europe. Flashpoint said.
Analysts assess that this is likely only a set of a larger sample of compromised Magento eCommerce admin panels.
Flashpoint is working with law enforcement to notify victims of these compromises.
In the meantime, the rash of cyber attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where cybercriminals were able to access connected devices such as security cameras, DVRs, and routers using known and default passwords. The compromised IoT devices were corralled into a massive botnet that was pointed at some high-value targets including DNS provider Dyn, French web host OVH, and journalist Brian Kreb’s website to carry out crippling distributed denial-of-service attacks.
The DDoS attack against Dyn peaked at one terabyte-per-second and took some popular sites and services offline for the better part of a day in October 2016, including Twitter, GitHub and Spotify.