Severity: Critical
INTRODUCTION
Adobe has addressed critical Magento Zero-Day Vulnerability (CVE-2022-24086) that is under active exploitation by threat actors. The security flaw impacts Adobe Commerce and Magento Open Source products. Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code and may result in the complete compromise of a vulnerable system.
The vulnerability exists due to improper input validation. A remote attacker with administrative privileges can send a specially crafted request to the application and execute arbitrary code on the target system.
The threat actors are actively attempting to exploit the vulnerability in their
ongoing attacks targeting Adobe Commerce merchants. Recently hackers used Magecart credit card skimmer to steal sensitive payment information and compromised 500+ sites running vulnerable Magento sites. Attackers used a combination of an SQL injection and PHP Object Injection attack to load the skimmer, gain control of the online sites running Magento and exfiltrate payment information.
BUSINESS IMPACT
Successful exploitation of this vulnerability allows a remote
attacker to execute arbitrary code, steal sensitive payment information
and completely compromise a vulnerable system.
RECOMMENDATIONS
- Ensure to update Adobe Commerce and Magento Open Source products to the latest security patches. (Patch installation instructions – Click Here)
- Kindly block the threat indicators at their respective controls.
AFFECTED PRODUCTS
- Adobe Commerce 2.4.3-p1 and earlier versions, 2.3.7-p2 and earlier
versions - Magento Open Source 2.4.3-p1 and earlier versions, 2.3.7-p2 and earlier
versions - Adobe Commerce 2.3.3 and lower are not affected.
IP’s
| 132[.]255[.]135[.]230 | 144[.]168[.]221[.]92 | 191[.]102[.]163[.]208 | 193[.]32[.]8[.]33 | 209[.]127[.]109[.]87 | 209[.]127[.]175[.]113 |
| 132[.]255[.]135[.]51 | 186[.]179[.]14[.]102 | 191[.]102[.]163[.]7 | 193[.]32[.]8[.]63 | 209[.]127[.]110[.]144 | 209[.]127[.]97[.]6 |
| 138[.]36[.]92[.]216 | 186[.]179[.]14[.]134 | 191[.]102[.]163[.]74 | 193[.]32[.]8[.]76 | 209[.]127[.]110[.]177 | 209[.]127[.]98[.]244 |
| 138[.]36[.]92[.]253 | 186[.]179[.]14[.]179 | 191[.]102[.]170[.]173 | 193[.]8[.]238[.]91 | 209[.]127[.]111[.]68 | 209[.]127[.]98[.]81 |
| 138[.]36[.]93[.]206 | 186[.]179[.]14[.]204 | 191[.]102[.]170[.]81 | 195[.]123[.]246[.]212 | 209[.]127[.]111[.]99 | 209[.]127[.]98[.]91 |
| 138[.]36[.]94[.]2 | 186[.]179[.]14[.]44 | 191[.]102[.]174[.]128 | 198[.]245[.]77[.]132 | 209[.]127[.]116[.]101 | 209[.]127[.]99[.]16 |
| 138[.]36[.]94[.]224 | 186[.]179[.]14[.]76 | 191[.]102[.]174[.]211 | 198[.]245[.]77[.]217 | 209[.]127[.]116[.]167 | 209[.]127[.]99[.]205 |
| 138[.]36[.]94[.]241 | 186[.]179[.]14[.]97 | 191[.]102[.]174[.]239 | 198[.]245[.]77[.]253 | 209[.]127[.]116[.]231 | 217[.]170[.]207[.]111 |
| 138[.]36[.]94[.]59 | 186[.]179[.]39[.]183 | 191[.]102[.]174[.]247 | 206[.]127[.]242[.]99 | 209[.]127[.]117[.]214 | 23[.]106[.]125[.]64 |
| 138[.]94[.]216[.]131 | 186[.]179[.]39[.]226 | 191[.]102[.]174[.]52 | 209[.]127[.]104[.]174 | 209[.]127[.]117[.]49 | 45[.]72[.]112[.]143 |
| 138[.]94[.]216[.]172 | 186[.]179[.]39[.]35 | 191[.]102[.]179[.]22 | 209[.]127[.]105[.]225 | 209[.]127[.]118[.]136 | 45[.]72[.]18[.]133 |
| 138[.]94[.]216[.]186 | 186[.]179[.]39[.]7 | 191[.]102[.]179[.]31 | 209[.]127[.]105[.]73 | 209[.]127[.]118[.]96 | 45[.]72[.]18[.]234 |
| 138[.]94[.]216[.]230 | 186[.]179[.]39[.]74 | 191[.]102[.]179[.]62 | 209[.]127[.]106[.]211 | 209[.]127[.]172[.]15 | 45[.]72[.]18[.]236 |
| 141[.]193[.]20[.]147 | 186[.]179[.]47[.]205 | 192[.]198[.]123[.]164 | 209[.]127[.]106[.]44 | 209[.]127[.]172[.]60 | 45[.]72[.]31[.]112 |
| 144[.]168[.]218[.]117 | 186[.]179[.]47[.]39 | 192[.]198[.]123[.]225 | 209[.]127[.]107[.]141 | 209[.]127[.]172[.]99 | 45[.]72[.]85[.]178 |
| 144[.]168[.]218[.]136 | 191[.]102[.]149[.]106 | 192[.]198[.]123[.]226 | 209[.]127[.]107[.]169 | 209[.]127[.]173[.]13 | 45[.]72[.]86[.]142 |
| 144[.]168[.]218[.]249 | 191[.]102[.]149[.]197 | 192[.]198[.]123[.]43 | 209[.]127[.]107[.]187 | 209[.]127[.]173[.]154 | 45[.]72[.]86[.]201 |
| 144[.]168[.]218[.]70 | 191[.]102[.]149[.]253 | 192[.]241[.]67[.]128 | 209[.]127[.]109[.]138 | 209[.]127[.]173[.]215 | 45[.]72[.]86[.]201 |
| 144[.]168[.]218[.]94 | 191[.]102[.]163[.]202 | 193[.]32[.]8[.]1 | 209[.]127[.]109[.]225 | 209[.]127[.]174[.]177 |
DOMAINS
| ajaxtracker[.]com | g-analytics[.]com | googlnalytics[.]com | json-jquery[.]icu |
| amazon-sert[.]com | google-analytisc[.]com | ipmarketing[.]biz | magento-analytics[.]com |
| bootstrap-js[.]com | googleanalytics[.]icu | jqueri-web[.]at | paypal-assist[.]com |
| cdn-clouds[.]com | googleplus[.]name | jquery-js[.]link | tagmanaqer[.]com |
| cdn-jquery[.]biz | googletagmanagar[.]com | jquerys[.]ga | topcc[.]su |
| webadstracker[.]com |
REFERENCES
1. Critical Magento 0-Day Vulnerability Under Active Exploitation — Patch
Released
2. NaturalFreshMall: a mass store hack
3. RiskIQ: Magecart C2 Domains Active in January 2022
4. Threat actors compromised +500 Magento-based e-stores with e-skimmers
Nandeesha Basavaraj is a key member of the MDR Threat Intelligence team at Network Intelligence. He has experience in both SOC and Threat Intelligence. He is passionate about investigating cyber threats, threat actors’ motives, targets, attack behaviours and does threat hunting in his spare time. Apart from the work field, he enjoys playing cricket and badminton.