In a recent discovery by Akamai researchers, a new server-side template injection campaign called Xurum has been identified, which specifically targets digital commerce websites running on Magento 2. This campaign poses a significant threat to the security of these websites, exploiting vulnerabilities in the system.
The name Xurum originates from the domain name of the attacker’s command and control (C2) server. It signifies the extent of the sophisticated techniques used by the attacker to carry out this campaign successfully. Upon further investigation, it was found that the attacker deploys an advanced web shell known as “wso-ng” which remains dormant until the cookie “magemojo000” is received by the backdoor component named “GoogleShoppingAds”.
The exploitation of server-side template injection is a highly effective method used by cybercriminals to gain unauthorized access to websites. By manipulating the templates and injecting malicious code, attackers can potentially extract sensitive information such as customer data, login credentials, and financial details. Moreover, they can also use this control to distribute malware or launch larger-scale attacks targeting other websites and users.
The discovery of the Xurum campaign raises concerns about the vulnerabilities present in Magento 2, a widely used platform for digital commerce websites. With numerous businesses relying on Magento 2 for their online operations, the potential impact of these attacks cannot be underestimated. The attackers behind Xurum have identified an opportunity to exploit these vulnerabilities and are actively taking advantage of them.
The usage of the “wso-ng” web shell demonstrates the technical proficiency of the attackers. This web shell is designed to provide full control over compromised systems, allowing attackers to execute commands, upload and download files, and perform various malicious activities. Its activation through the specific cookie “magemojo000” indicates a level of sophistication and specific targeting by the attacker.
Akamai’s research serves as a timely warning for businesses operating on Magento 2 to enhance their security measures and be vigilant against potential attacks. It is crucial for organizations to update their Magento installations regularly, apply security patches promptly, and implement robust security protocols. Additionally, regular monitoring and auditing of website activities can help detect and mitigate any unauthorized access attempts.
The Xurum campaign highlights the evolving nature of cyber threats and the need for continuous proactive measures to protect digital commerce websites. While Magento 2 may be the current focus of these attacks, it is essential for businesses operating on any platform to prioritize security and stay informed about emerging threats.
In response to this discovery, Magento has been actively working to address the vulnerabilities exploited by the Xurum campaign. The development team is expected to release security patches and updates to safeguard the platform against such attacks. However, it remains the responsibility of businesses to implement these updates promptly and ensure their websites are adequately protected.
The Xurum campaign serves as a reminder of the ever-present cyber threats faced by digital commerce websites. As technology advances and attackers become more sophisticated, businesses must remain proactive in their security efforts. By investing in robust security measures, staying informed about emerging threats, and adhering to best practices, organizations can mitigate the risks and protect their digital assets effectively.