Cybercriminals are using a critical Magento 2 vulnerability (CVE-2022-24086) to execute arbitrary code on vulnerable servers and inject RATs on unpatched websites. Attacks leveraging this mail template vulnerability are called TrojanOrders attacks.

About TrojanOrders attacks

According to Sansec researchers, there is a massive surge in the TrojanOrders attacks ahead of the holiday season and approximately 38% of Magento 2 and Adobe Commerce websites are being targeted by the attacks.
  • Attackers typically create an account on the targeted online store's website and place an order that contains malicious template code in the name, VAT, or other fields. 
  • In one case, they injected a tempered copy of the genuine file (health_check.php) on the site, containing a PHP backdoor that runs commands sent via POST requests.
  • After gaining a foothold on the website, they install a RAT or their own backdoor to establish permanent access and then perform other nefarious activities.

The attackers infect the site with malicious JavaScript that steals customers' information and credit card numbers when purchasing products in the store.

A tug-of-war among hackers

  • Some attackers scan for the presence of a malicious file upon compromise to determine if another hacker already infected the site and if so, they replace the file with their own backdoor.
  • At least seven Magecart groups are working behind these attacks and fighting each other over the control of an infected site.

The motivations behind the attacks

  • Although Adobe fixed the exploited vulnerability in February, PoC exploits are available for a long time and researchers claim at least a third of all Magento and Adobe Commerce stores have not been patched so far.
  • Another reason behind the TrojanOrders attacks is the availability of several low-cost exploit kits on hacking forums for as low as $2,500 or 0.15 BTC.
  • Moreover, as the holiday season is approaching, organizations are occupied in preparations for a shopping spree by consumers, which stands as a huge motivation for attackers to target e-commerce websites.

Security tips

Hackers often leverage exploitable vulnerabilities to launch successful attacks for financial gains. Users are recommended to update systems on a regular basis and keep all third-party apps and software updated with the latest versions.
Cyware Publisher