Hackers target PrestaShop, an open-source e-commerce platform, by exploiting a zero-day vulnerability to steal customers' payment data.
Hackers target PrestaShop, an open-source e-commerce platform, by exploiting a zero-day vulnerability to steal customers' payment data.
The attack appears to impact PrestaShop versions 1.6.0.10 or later and versions 1.7.8.2 or later if they run modules vulnerable to SQL injection, such as the Wishlist 2.0.0 to 2.1.0 module.
The actively exploited vulnerability is being tracked with the identifier CVE-2022-36408.
"We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability," explains the PrestaShop security advisory.
Successful exploitation of the flaw could enable an attacker to submit a specially crafted request that grants the ability to execute arbitrary instructions, injecting a fake payment form on the checkout page to gather credit card information.
To conduct the attack, hackers send a POST request to a vulnerable endpoint followed by a parameter-less GET request to the homepage that creates a "blm.php" file at the root directory.
The blm.php file appears to be a web shell that allows the threat actors to execute commands on the server remotely.
In many observed cases, the attackers used this web shell to inject a fake payment form on the shop's checkout page and steal customers' payment card details.
After the attack, the remote threat actors wiped their tracks to prevent the site owner from realizing they were breached.
Users are advised to update their modules to the latest version. Since attackers might be using MySQL Smarty cache storage features, users are advised to manually disable this feature in PrestaShop’s code.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?