Threat Actors Exploit Zero-day in PrestaShop

The PrestaShop zero-day 

• The attacks aim at PrestaShop versions 1.6.0.10 or later if they run modules exposed to SQL injection. Users of versions 1.7.8.2 and above are not at risk, however, they may get impacted if they run any modules (such as Wishlist 2.0.0 to 2.1.0), which are exposed to SQL Injection attacks.
• The abused vulnerability is being tracked as CVE-2022-36408. Successful exploitation leads to arbitrary code execution in servers running PrestaShop websites.

Modus operandi

• To perform the attack, the attacker sends a POST request to an exposed endpoint with a parameterless GET request to the homepage and creates a blm[.]php file at the root directory.
• The blm[.]php is a web shell that allows attackers to run remote commands on the targeted server. This web shell is used to inject a fake payment form on the shop's checkout page.
• Additionally, the attackers may plant malicious code anywhere on the website.

Post-attack cleanup

• After the attack, the remote attackers erase their traces that stops the site owner from knowing that they were breached.
• If the attackers fail to wipe their tracks, site admins might find entries in the web server's access logs for compromise signs. 
• The other sign is the activation of the MySQL Smarty cache storage feature.

Staying safe