Magento, Visual Studio Code users: You need to patch!

Microsoft and Adobe released out-of-band security updates for Visual Studio Code, the Windows Codecs Library, and Magento.

Visual Studio Code security

All the updates fix vulnerabilities that could be exploited for remote code execution, but the good news is that none of them are being actively exploited by attackers (yet!).

Microsoft’s updates

Microsoft has fixed CVE-2020-17023, a remote code execution vulnerability in Visual Studio Code, its free and extremely popular source-code editor that’s available for Windows, macOS and Linux.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file,” Microsoft explained.

If the target uses an account with administrative privileges, the attacker can take complete control of the affected system.

The vulnerability, discovered by Justin Steven, stems from a botched fix for a previously addressed RCE flaw (CVE-2020-16881).

Microsoft has also fixed a RCE (CVE-2020-17022) in the way that Microsoft Windows Codecs Library handles objects in memory, which could be triggered by a program processing a specially crafted image file.

It only affects Windows 10 users, and only if they installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store.

“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” the company noted, and explained that “servicing for store apps/components does not follow the monthly ‘Update Tuesday’ cadence, but are offered whenever necessary.”

Adobe’s updates

After fixing just one Adobe Flash Player flaw on October 2020 Patch Tuesday, Adobe has followed up with security updates for several Magento Commerce and Magento Open Source versions.

The updates carry patches for nine vulnerabilities, most of which are exploitable without credentials. Just one of those – CVE-2020-24408, a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component – is exploitable by an attacker that has no administrative privileges.

Among the plugged security holes are two critical ones:

  • CVE-2020-24407 – a file upload allow list bypass that could be exploited to achieve code execution
  • CVE-2020-24400 – an SQL injection that could allow for arbitrary read or write access to database

Magecart Group 8 skimmed card info from 570+ online shops

Your payment card information got stolen but you don’t know how, when and where? Maybe you shopped on one of the 570 webshops compromised by the Keeper Magecart group (aka Magecart Group 8) since April 1, 2017.

Magecart Group 8

Magecart Group 8’s modus operandi and targets

The list of the online shops hit by the criminals has been released by researchers from Gemini Advisory, who managed to compile it after gaining access to the group’s dedicated attack server that hosts both the malicious payload and the exfiltrated data stolen from victim sites.

“Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.

Their research also revealed that:

  • Over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Sophify
  • The group tried to disguise its malicious attacker domains as legitimate services (e.g., the attacker domain closetlondon[.]org attempted to imitate and tried to imitate popular website plugins and payment gateways
  • The group occasionally used public and custom obfuscation methods to make the injected information-stealing JavaScript less noticeable and detectable
  • The majority of victim e-commerce sites was hosted in the U.S., followed by the U.K., the Netherlands, France, India, etc.

“The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries,” the researchers shared.

“Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor.”

The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.

The profitability of Magecart attacks

The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.

“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP [Card Not Present] data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” they noted, and said that they expect the group to continue launching increasingly sophisticated attacks against online merchants across the world.

It is unknown if the group is state-sponsored or not. While we may think of Magecart groups as “mere” cyber criminals, Sansec researchers recently tied one of them to a North Korean APT group.

For the end users – i.e., the online shoppers – it’s all the same and, unfortunately, there is little they can do to protect themselves against the threat of getting their payment card info skimmed.

Avoiding smaller sites/shops might be a good idea, and so is using browser plugins that prevent JavaScript loading from untrusted sites, but there is no 100% guarantee.

Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance

When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life (EOL) and support (EOS) on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1.

Magento 1 EOL

Unfortunately, there are still too many (over 100,000) active Magento 1.x installations. The company is urging their owners and admins to migrate to Magento 2.x or risk being hit once another critical and easily exploited vulnerability is unearthed and its existence made public.

About Magento

Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.

Nearly four years ago (and possibly even earlier), cyber crooks started concentrating on breaching Magento-based shops and injecting them with scripts that quietly grabbed users’ personal and payment card data information and sent it to a server they controlled.

Since then, the tactic has been used and continues to be used by many cyber criminal groups, which have been classified by security companies as “Magecart” attackers. As they are quick to exploit newfound vulnerabilities in the Magento core and third-party extensions, hardly a day passes without news about another online shop having been compromised.

If you decide to stick with Magento 1

“If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance,” Adobe warned.

Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorized accounts, using a web application firewall, and so on.

“General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data,” Adobe explained.

Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.

Another thing: the end of support for Magento 1 also means that some extensions merchants use will not be available anymore.

“We encourage Magento 1 merchants to download the Magento 1 extensions they plan to keep, since Magento 1 extensions will not be available in the Magento Marketplace after July 7, 2020, and will be removed from the Magento repository after August 6, 2020,” Adobe noted last week.

Magento 2 or something else?

PayPal, Visa and other payment processing companies and payment platforms have also been urging merchants to make the switch to Magento 2.
Even though Magento 2 was released five years ago and even though the migration from Magento 1 to Magento 2 can be performed by using an official Data Migration Tool the number of Magento 2 installations is still lagging (it’s currently around 37,500 installations).

As “painful” and costly as it maybe, this EOL will hopefully push many of them to finally make the switch – or make the switch to an alternative platform.

“2020 has been a tumultuous year for retailers. Merchants should not have to worry about security issues or upgrading their ecommerce platform while they are in the middle of adapting to drastically changed consumer behaviors and expectations. Amidst the list of business-critical priorities a merchant needs to focus on, worrying about what’s happening with a Magento migration or installation should not be included,” noted Jimmy Duvall, Chief Product Officer at BigCommerce.

How a favicon delivered a web credit card skimmer to victims

Cyber crooks deploying web credit card skimmers on compromised Magento websites have a new trick up their sleeve: favicons that “turn” malicious when victims visit a checkout page.

Favicons and card skimmers

Favicons is a file containing one or more small icons associated with a website and are usually displayed in the browser’s address bar, on the tab in which a website has been opened, and in the bookmarks.

favicons card skimmers

“The goal [with online credit card skimmers is] to deceive online shoppers while staying under the radar from website administrators and security scanners,” Malwarebytes researcher Jérôme Segura explained.

In this latest approach, the crooks registered a new website purporting to offer thousands of images, icons and favicons for download (myicons[.]net) and made it an exact copy of the legitimate site by loading it as an iframe.

Several e-commerce sites were loading a Magento favicon from this domain, Segura noted, but at first glance, the favicon image was clean.

Further analysis showed that, instead of the favicon, the malicious site returned JavaScript code that consists of a credit card payment form – but only when a user visited a checkout page.

favicons card skimmers

The script would override the PayPal checkout option with its own drop down menu for MasterCard, Visa, Discover and American Express. The entered information would be exfiltrated to a remote server controlled by the crooks.

The new trick is part of ongoing attacks

“Given the decoy icons domain registration date, this particular scheme is about a week old but is part of a larger number of ongoing skimming attacks,” the researcher noted.

In fact, the IP of the server on which the malicious icon was hosted was flagged as part of an attack infrastructure nearly a month ago by Sucuri researchers, who tied it to a gang “known for using quite a few interesting tricks in their skimmers.”

It’s difficult for consumers to spot this type of attack and endpoint security solutions may or may not detect it. It’s on site owners to keep their websites secure and to quickly spot malicious changes.

Adobe fixes critical flaws in Magento, Adobe Illustrator and Bridge

Adobe has pushed out security updates fixing critical flaws in Magento Commerce, Open Source Enterprise and Community editions, Adobe Illustrator 2020 for Windows, and Adobe Bridge for Windows.

critical flaws Magento

Magento security update

According to the security bulletin published on Tuesday, thirteen flaws in all have been reported, all but one affecting all supported versions of Magento, the popular e-commerce platform.

Six of the Magento vulnerabilities are deemed critical: they are either command injection or security mitigation bypass flaws, and could be exploited to achieve arbitrary code execution by unauthenticated, remote attackers.

The rest are less severe and could lead to sensitive information disclosure, arbitrary code execution, unauthorized access to admin panel (only on Magento 1 versions), signature verification bypass, and potentially unauthorized product discounts.

Admins are advised to upgrade their installations to one of the fixed versions soon (within 30 days):

  • Magento Commerce (2.3.4-p2 Commerce or 2.3.5 Commerce)
  • Magento Open Source (2.3.4-p2 Open Source or 2.3.5 Open Source)
  • Magento Enterprise Edition
  • Magento Community Edition

Adobe Illustrator and Bridge vulnerabilities

The Adobe Illustrator vector graphics editor has been updated to close five critical memory corruption vulnerabilities that could be exploited for arbitrary code execution.

The security holes affect Illustrator 2020 versions 24.0.2 and earlier on Windows, and have been plugged in version 24.1.2.

Versions 10.0.1 and earlier of the digital asset management application Adobe Bridge for Windows sport seventeen vulnerabilities, fourteen of which are critical. Users are advised to upgrade to version 10.0.4.

The Magento update is considered more important than those for Illustrator and Bridge, mainly because the latter have, historically, not been a target for attackers. Magento, on the other hand, is famously and continuously targeted by Magecart attackers.

Magento patches critical code execution vulnerabilities, upgrade ASAP!

Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution.

Magento critical vulnerabilities

About the fixed vulnerabilities

According to the newest Magento-themed security bulletin (now published as an Adobe security bulletin), three of the six fixed flaws are critical and three are important.

In the “critical” category are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718) that could lead to arbitrary code execution, and an SQL injection (CVE-2020-3719) that could be exploited to leak sensitive information.

In the “important” category are two stored cross-site scripting flaws (CVE-2020-3715, CVE-2020-3758) and a path traversal (CVE-2020-3717) vulnerability, all of which could lead to sensitive information disclosure.

All of these have been patched in:

  • Magento Commerce versions 2.3.4 and 2.2.11
  • Magento Open Source versions 2.3.4 and 2.2.11
  • Magento Enterprise Edition (EE) version
  • Magento Community Edition (CE) version

At the moment, there is no indication that any of these might be actively exploited by attackers. Nevertheless, users/admins are advised to update their installations as soon as possible.

Magento shops are a major target

Magento is one of the most popular open-source e-commerce platforms out there, but web stores running it have unfortunately become a prime – though not exclusive – target for card-skimming cybercriminals (aka Magecart attackers).

Vulnerabilities in the Magento core are just one vector through which attackers can gain access to online shops to insert card-skimming code into them. Other avenues of attack include bugs in popular extensions and plug-ins, phishing emails lobbed at site admins, and compromise of third parties that serve scripts on the target site(s).