Research Saturday 9.23.23
Ep 300 | 9.23.23

Behind the Google shopping ad masks.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music

Maxim Zavodchik: So as part of our daily threat research job, we are analyzing the attack logs from traffic passing through Akamai. In this case specifically, we were hunting for attacks targeting Magento e-commerce platforms.

Dave Bittner: That's Maxim Zavodchik. He's a threat research director at Akamai. The research we're discussing today is titled "Xurum, New Magento Campaign Discovered." [ Music ]

Maxim Zavodchik: As we knew, it was a high-value target for different financially motivated cyber gangs in the past, so besides the regular opportunistic scams and commercial vulnerability scanner traffic that we've often seen on logs, we have also noticed several well obfuscated HTTP requests targeting some of our e-commerce customers.

Dave Bittner: Well, let's dig into some of the details here. I mean, who exactly do we suppose is behind this and what are they up to?

Maxim Zavodchik: So while looking closer at the request payloads, it was clear for us that there is a well-organized campaign going on. Judging by the payload, the attacker seems to have a higher level of sophistication expertise than the common attackers that we see. It's not clear who is behind this attack, but definitely they possess a lot of Magento developer-level knowledge and were targeting specific businesses.

Dave Bittner: So for folks who may not be familiar, Magento is an e-commerce platform or utility to allow people to facilitate taking payments on their websites?

Maxim Zavodchik: Yeah. Magento, owned now by Adobe, is a popular e-commerce platform used by many high-traffic shops, and Magento and other e-commerce platforms are a high target for operations or collections of groups called "Magecart" in recent years. Those Magecarts specializes in skimming payment data from customers of online shopping cart systems, primarily in Magento.

Dave Bittner: Well, let's dig into some of the details here. I mean, how exactly is this group going after people who were using Magento?

Maxim Zavodchik: Yeah, so actually, that was interesting here. So while looking closer at the request payloads, it was clear for us that it's something going on here. So the actual attack chain is initiated by trying to exploit the Magento CVE discovered a year ago and executing obfuscated PHP code. This code was just a bridge to fetch a bigger piece of PHP from a server named "Xurum." And by the way, the name "Xurum" will be picked for this campaign [inaudible 00:03:07] this domain name. So this PHP code has more obfuscated code which has different exploitation steps. The first one was collecting technical information on the Magento system such as Magento directories and other information and also the encryption key used to secure sensitive customer data such as passwords and payment details. But besides the technical information, the attackers were also collecting payment methods information used in the last 10 days and exfiltrated those to the Xurum server. After excavating this information, they were adding detector admin users with the names "Mageworx" and "Mageplaza," which is interesting because those are very famous Magento extension stores. Many of those threat actors are really familiar with the Magento ecosystem. Once installing those backdoor users, they were creating the Magento component named "GoogleShoppingAds," trying to camouflage their intentions, and this specific component was quite interesting because it's not only how attackers deploy things, so if someone will try to browse this component, they will get an empty response, nothing, but if you add a special cookie name, such as "MageModule000," it will fetch an advanced web shell from GitHub, and that's also surprising because usually attackers use different public web shells, but they maintain a copy of a web shell on their own server, while in this case, we have seen those attackers pointing to a GitHub repository and that has different advantages for the attackers. So one of them is that it's harder to attribute because it's a public service rather than an infrastructure rented by the attackers. Also, malicious server that hosts the web shell can quickly be taken down by the ISP, if you follow the news report, but it's impossible to take down the public GitHub repository. And another advantage for attackers here is that every time the attackers exploit a new target, they fetch the up-to-date version of the web shell which includes all the recent enhancements done by the [inaudible 00:05:24]. [ Music ]

Dave Bittner: Now, is this a case of them taking advantage of organizations who haven't kept up to date with the latest version of Magento?

Maxim Zavodchik: Yeah, Dave, it's kind of unfortunate to see, right? This vulnerability is at least a year, was discovered just a year ago, and we still see many threat actors trying to exploit this vulnerability, and we did find some successful exploitations of some of the indirect information we have in the attack payloads. We've seen a website infected with the web skimmer. A web skimmer is -- think about the digital version of the ATM skimmers that were deployed in the past where the attackers will infect a web page with a malicious java stream that will pull up some credit card and ask for credit card information exfiltrated to attackers' servers.

Dave Bittner: What are your recommendations for folks to make sure that they haven't been infected with this but also to prevent it?

Maxim Zavodchik: So I don't want to sound like a broken record, but the best way to protect is always applying the latest patches on time.

Dave Bittner: Yeah.

Maxim Zavodchik: But I understand that businesses struggle with this as the number of applications is growing every day and the environment become more dynamic. It's really difficult to maintain your assets and understand the exact versions and what are the vulnerabilities there. So I do believe security is in layers, so [inaudible 00:07:06] that's the best solution, but that's harder. So other complementary methods could be used, such as running daily routines on your database to see whether there are new admin users added, implementing different complementary methods like web application firewall to prevent the initial access vector and the actual CVE exploitation, and also client-side inspections to detect skimmers on your website and getting closer to the attackers' business model.

Dave Bittner: How do you rate the sophistication of this group?

Maxim Zavodchik: Yeah, definitely those are not the common attackers. Definitely they show higher level of expertise. On the technical side, I would say while reading the malicious code, one can clearly see they possess a Magento developer-level knowledge and are very familiar with the Magento internals like the Magento database structure and all the nuances of Magento add-ons. Magento users, as I mentioned, that they name and create are after well-known Magento extension stores, Mageplaza and Mageworx, shows their familiarity with the Magento ecosystem. On the operation side, I think they also understand, and while many campaigns are spraying the internet with exploits hoping something will stick, those attackers are more patient and carefully picking their targets. I believe that's what helped them to make this operation undetected for so long.

Dave Bittner: Do you have any sense for how widespread this is or what level of success they've had?

Maxim Zavodchik: It's very difficult for me to tell the exact numbers here because our customers seems to be successful in mitigating those vulnerabilities, those exploit attempts, but it seems like that this campaign was very targeted, so it's not clear how many targets were the targets and how they were profiling their targets. > Dave Bittner: When you look at the big picture here, I mean, organizations like this who are coming after these ecommerce platforms, is that an area where we're seeing growth, or are folks getting on top of this, or are things staying the same? What's your sense? I think the number of applications grow, sophistication grow. We see more attackers joining this market, right, and trying to monetize on the digital assets, but also the fast technology advances and provides more automation, more insights with the defenders. [ Music ]

Dave Bittner: Our thanks to Maxim Zavodchik from Akamai for joining us. The research is titled "Xurum, New Magento Campaign Discovered." We'll have a link in the show notes. [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. [ Music ]