Magento-Based Stores Are Suffering from Increasing TrojanOrders Attacks

Magento and TrojanOrders attacks
Written by Carina Wilson

According to experts at e-commerce security company Sansec, at least seven hacker groups are behind the massive TrojanOrders attacks that have recently affected Magento 2-based sites.

Such attacks use the critical vulnerability CVE-2022-24086, discovered and fixed at the beginning of the year, affecting Adobe Commerce and Magento.

Magento and TrojanOrders attacks
Number of attacked sites is rising

Let me remind you that we also wrote that E-Commerce Software Developer FishPig Hacked in a Massive Supply Chain Attack, and also that Operators of the Clipminer Botnet “Earned” More Than $1.7 Million.

Let me remind you that the CVE-2022-24086 vulnerability (9.8 points out of 10 on the CVSS scale) was discovered and fixed in February 2022. The bug allowed remote arbitrary code execution without authentication. According to Adobe, the root of the problem was incorrect input validation.

From the very beginning, it was reported that hackers had already begun to exploit the problem. Later, such attacks on CVE-2022-24086 were given the name TrojanOrders (“Trojan Orders”), as attackers get the opportunity to execute code and inject RAT (remote access trojans) on uncorrected store sites.

Typically, when carrying out TrojanOrders attacks, hackers create an account on the target site and place an order that contains malicious code in one of the fields.

Magento and TrojanOrders attacks

For example, the attack on the screenshot above will inject a copy of the health_check.php file into the site, which contains a PHP backdoor that can run commands sent via POST requests. Once they gain a foothold on a site, attackers implement RATs to ensure they have constant access and the ability to perform more complex actions.

At the same time, in many cases studied by Sansec, immediately after the compromise, the hackers searched the site for the health_check.php file to determine if another group had previously infected the resource. If the answer was positive, the attackers would replace this file with their own backdoor.

Ultimately, the attackers modify the site’s code by injecting malicious JavaScript into it, which steals information about customers and their bank card numbers.

Unfortunately, according to Sansec analysts, the administrators of many sites have not yet installed the necessary patches, and the vulnerability still poses a significant threat. Researchers say that almost 40% of Magento 2 sites are attacked, with hack groups literally fighting each other for control of infected resources.

Sansec estimates that at least a third of all Magento and Adobe Commerce stores have yet to receive patches.Sansec warned.

Such attacks can lead to serious failures in the operation of sites and the massive theft of bank cards of buyers, especially amid of the upcoming Black Friday and Cyber Monday.

Worse, the researchers believe that this trend will continue as we approach Christmas and New Year. The fact is that PoC exploits for this problem have been available for a long time and are included in many exploit kits, the number of unpatched sites is still high, and the holiday sales season is coming.

It is noted that exploits have become so numerous that they are sold for as little as $2,500, while at the beginning of 2022 they cost from $20,000 to $30,000.

Magento and TrojanOrders attacks
Exploit Sale

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment