Hackers Abuse Zero Day in PrestaShop Websites

Infection details

• The zero day attack begins by targeting an older platform version vulnerable to SQL injection exploits. 
• The actively exploited SQL injection vulnerability is being tracked as CVE-2022-36408.
• The flaw allows threat actors to conduct arbitrary code execution and steal payment information from customers.
• The zero day vulnerability affects PrestaShop versions 1.6.0.10 and later, as well as versions 1.7.8.2 and later.

Attack details

• To exploit the zero day, attackers send a POST request to an exposed endpoint with a parameterless GET request to the homepage and create a blm[.]php file at the root directory.
• The blm[.]php is a web shell that allows attackers to run remote commands on the targeted server. This web shell is used to inject a fake payment form on the shop's checkout page.
• Additionally, the attackers may plant malicious code anywhere on the website.

Likely solution

• The immediate solution is to upgrade all used modules to the latest available version of 1.7.8.7.
• Customers running older, vulnerable versions of the platform can manually remove the MySQL Smarty cache feature by deleting code from a configuration file.
• If the site has already been compromised, applying the security update won't remediate the problem.