TrojanOrders Attack Hits Magento and Adobe Stores

Sansec, a vulnerability detection, and website security firm, has warned about a spike in cyberattacks exploiting a critical mail template vulnerability tracked as CVE-2022-24086, with a CVSS score of 9.8. The researchers have dubbed the attack as TrojanOrders.

This flaw affects Magento and Adobe Commerce stores. Adobe released emergency patches for this flaw in February 2022 and warned e-commerce stores’ administrators and owners that the flaw was being exploited in the wild.

Later, Adobe confirmed that the patches it released were bypassed, and a new CVE identifier was assigned to the flaw (CVE-2022-24087).

Researchers Observe a Rise in TrojanOrders Attacks

According to Sansec, at least seven magecart groups are targeting Magento 2 websites in TrojanOrders attacks, exploiting the same vulnerability. It lets the attacker compromise vulnerable servers.

Sansec researchers have warned that around 40% of Magento 2 websites are targeted in these attacks. In fact, the company believes that hacking groups are at daggers drawn to gain control of the affected website. This trend is likely to continue now that online shops are expecting a rise in visitors due to Christmas.

How does the Attack Works?

The attacker injects malicious JavaScript code into an e-commerce website to disrupt the business. It can also lead to customer credit card theft. If such an activity is carried out on a busy day such as Black Friday or Cyber Monday, it can cause extensive damage.

The vulnerability is an improper input validation flaw in the checkout mechanism that can be exploited without authentication to achieve arbitrary code execution.

Attackers first analyze the Adobe Commerce and Magento stores to trigger the system. They send an email with one field having the exploit code. These triggers may be an order placement, customer registration, or sharing a wishlist.

If the trigger is successful, attackers try to gain control of the infected site and install a RAT (remote access trojan) to retain permanent access even when the system is patched. Usually, the backdoor is hidden in the health_check.php file. Sansec identified seven attack vectors targeting this vulnerability.

“Seven attack vectors means at least seven Magecart groups now actively trying TrojanOrders on Magento 2 websites. Developing an attack route is difficult and expensive. Once a group has a working exploit (attack vector), they keep on using it unless it ceases to be effective.”

Sansec

In their blog post, researchers wanted that even though fixes were released around nine months back, one-third of Magento sites and e-commerce stores haven’t yet applied them, so these could be vulnerable to TrojanOrders attacks.

1. 100s of schools at risk after Magecart attack on Wisepay
2. Hackers steal credit card data of 14,579 BevMo customers
3. Lazarus use Magecart attack to steal card data from EU, US sites
4. Magecart hackers launched largest attack against Magento stores
5. How to check for sites hacked to run web skimming, magecart attack