Huge numbers of web stores are facing attack from this dangerous new malware

News
By published

Hackers are actively using PolyShell against major brands

Business man using mobile phone and laptop with global network and technology icons on virtual screen
(Image credit: Shutterstock/TippaPatt)
  • PolyShell vulnerability in Magento/Adobe Commerce mass exploited, hitting over half of vulnerable stores
  • Attackers deploy novel WebRTC-based credit card skimmer to evade security controls
  • Compromised versions targeted since March 19, including high-value ecommerce sites

PolyShell, a newly discovered vulnerability in certain Magento Open Source and Adobe Commerce installations, is now being actively used in attacks against a large number of websites, researchers are warning.

A new vulnerability has been found affecting stable version 2 installations of the abovementioned software, allowing threat actors to execute malicious code without authentication, and take over user accounts.

Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.

Article continues below

Targeting a $100 billion company

At the time, security researchers Sansec advised website admins to restrict access to pub/media/custom_options/ folders, verify that nginx or Apache rules prevent the access, and scan stores for uploaded malware and backdoors.

They also said that at first, there was no evidence of abuse in the wild, but stressed that an exploit method was “circulating already”.

Now, it appears that the predictions were true, as Sansec says more than half of all vulnerable stores are being targeted.

“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.

In some of the attacks, threat actors would deploy a credit card skimmer that was not seen before. This skimmer apparently uses Web Real-Time Communication (WebRTC) to exfiltrate data, which is a rather novel approach. As BleepingComputer explained, WebRTC uses DTLS-encrypted UDP rather than HTTP, making it better at evading security controls “even on sites with strict Content Security Policy (CSP) controls like ‘connect-src.’”

The skimmer was built in JavaScript and connects to a hardcoded C2 server, from which it receives a second-stage payload. It was first spotted on an ecommerce website belonging to a carmaker valued at over $100 billion.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.