top of page

"Xurum" Campaign Targets E-commerce Sites Using Magento 2 Software Since Jan 2023

The ongoing cyber assault on e-commerce sites utilizing Adobe's Magento 2 software, known as 'Xurum', has raised significant concerns in the cybersecurity community. This campaign, which has been active since January 2023, highlights the persistent threats posed to businesses operating in the digital space. The cybercriminals behind this campaign exhibit advanced knowledge and attentive targeting strategies, demonstrating the increasing sophistication of contemporary cybersecurity threats.

The Xurum campaign operates by exploiting an urgent security flaw in Adobe Commerce and Magento Open Source. Labeled as CVE-2022-24086, the vulnerability boasts a critical score of 9.8 on the Common Vulnerability Scoring System (CVSS). The successful exploitation of this flaw could lead to the execution of arbitrary code on a target's system. Lead researchers from Akamai claim this campaign is operated by Russian threat actors, exhibiting an interest in extracting payment data from orders in the past 10 days of an infiltrated Magento store.

Furthermore, multiple websites have been observed to be infected with JavaScript-based skimmers; designed mechanisms that harvest credit card information and transmit it to a remote hacker-controlled server. These skimmers further emphasize the attackers' premeditated design to extract sensitive payment information, highlighting the severity of this ongoing campaign.

The scale of the Xurum campaign remains uncertain. Akamai observed that the CVE-2022-24086 vulnerability is used to establish initial access. Additionally, the vulnerability is further manipulated to execute harmful PHP code, which gathers vital host information. This assault method subsequently drops a web shell known as 'wso-ng', posing as a Google Shopping Ads plugin to infiltrate the victim's system.

The web shell backdoor operates covertly, activated solely when the attacker sends the 'magemojo000' cookie in an HTTP request. Following this, data pertaining to the sales order payment methods over the previous ten days is retrieved and siphoned off. The attack concludes with the generation of a rogue admin user, under the names 'mageworx' or 'mageplaza', in an attempt to pass off malicious actions as benign system activity.

Inventively, 'wso-ng' is understood to be an evolution of the WSO web shell, introducing a covert login page to pilfer credentials from victims. Additionally, it integrates with legitimate tools such as VirusTotal and SecurityTrails, supplementing its capacity to gather the infected device's IP reputation and obtain other domain details hosted on the same server.

Online shopping platforms have been a long-standing target for a group of threats referred to as 'Magecart,' infamous for injecting skimmer code into checkout pages, aiming to collect victim-entered payment information. The Xurum campaign thus amplifies the persistent, evolving nature of cyber threats posing businesses.

The meticulous planning and execution of the Xurum campaign highlight the need for sustained vigilance and dynamic cybersecurity strategies. The attackers behind this campaign have demonstrated detailed knowledge of Magento and significant investment in setting up robust attack infrastructure. They have also been shown to test their exploits on actual targets, thereby increasing the success-rate of their criminal endeavors. This evolving landscape of cyber threats manifests the necessity for businesses to adopt proactive and multi-faceted cybersecurity strategies.

At Darksteel Technologies, we are an Orlando-based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page