Cybercriminals are targeting e-commerce websites that are using the PrestaShop platform, to steal customers' payment information. They are abusing a previously unknown vulnerability chain to execute malicious code.

The PrestaShop zero-day 

A few days ago, the PrestaShop team released a warning asking the admins of 300,000 shops using its software to check their security stance after cyberattacks were spotted targeting the platform.
  • The attacks aim at PrestaShop versions or later if they run modules exposed to SQL injection. Users of versions and above are not at risk, however, they may get impacted if they run any modules (such as Wishlist 2.0.0 to 2.1.0), which are exposed to SQL Injection attacks.
  • The abused vulnerability is being tracked as CVE-2022-36408. Successful exploitation leads to arbitrary code execution in servers running PrestaShop websites.

Modus operandi

The attack starts by targeting an older platform version vulnerable to SQL injection exploits.
  • To perform the attack, the attacker sends a POST request to an exposed endpoint with a parameterless GET request to the homepage and creates a blm[.]php file at the root directory.
  • The blm[.]php is a web shell that allows attackers to run remote commands on the targeted server. This web shell is used to inject a fake payment form on the shop's checkout page.
  • Additionally, the attackers may plant malicious code anywhere on the website.

Post-attack cleanup

  • After the attack, the remote attackers erase their traces that stops the site owner from knowing that they were breached.
  • If the attackers fail to wipe their tracks, site admins might find entries in the web server's access logs for compromise signs. 
  • The other sign is the activation of the MySQL Smarty cache storage feature.

Staying safe

Ensure that the PrestaShop website and all modules are patched with the latest update or security patch. This prevents digital shops from being exposed to known and actively exploited SQL injection flaws. Further, experts suggest disabling the MySQL Smarty cache storage features until a patch is issued.
Cyware Publisher