Xurum: Expert Cyber Campaign Exploiting Magento 2 Since 2023

Expert Cyber Campaign Exploiting Magento 2 Since 2023

Since at least January 2023, a persistent cyber campaign dubbed Xurum has been systematically targeting E-commerce websites that employ Adobe's Magento 2 software. The attackers, attributed to Russian actors, have showcased a meticulous and expert approach by exploiting a patched critical security flaw (CVE-2022-24086) to execute arbitrary code, potentially compromising these websites. They focus on specific Magento 2 instances rather than launching widespread attacks, demonstrating a deep understanding of Magento's workings. This campaign highlights the prolonged exploitation of older vulnerabilities due to the challenges businesses face in staying updated with patches.

The Xurum attacks involve a multi-stage process, utilizing the vulnerability for initial access and deploying a disguised web shell named wso-ng, which gathers host information and infiltrates payment data from sales orders made within the past 10 days. The web shell operates selectively when triggered by a specific cookie, allowing the attackers to remain undetected. Notably, they conclude the attack by creating a rogue admin user with benign names to avoid suspicion.

The evolved wso-ng shell features a hidden login page to extract victim credentials and interfaces with legitimate tools like VirusTotal and SecurityTrails to gather more information. This sophisticated campaign underlines the importance of robust security measures for E-commerce platforms to fend off such targeted threats. Organizations must remain vigilant against these precision attacks, characterized by the attackers' Magento expertise and their strategic investment in testing exploits on real targets.