A critical security flaw was identified in March, effecting Magento 2.x eCommerce stores. Hackers were able to infiltrate the security system in less than 16 hours from release! The number of affected and compromised Magento 2.x stores is showing a significant spike in recent weeks to the tune of 200%, see graph below:
Image Source: https://sansec.io/labs/2019/05/10/magento-2-hacks/
Note: Graph shows stats through 6/12/2019, as more data becomes available we will be sure to provide updated stats.
First Severe Flaw to Impact Magento 2.x Stores:
Magento 2 stores are largely being operated by larger, more advanced eCommerce organizations when compared to its predecessor ($10-50M), as such it is quite surprising to note the sharp increase in Magento 2 stores falling victim to hackers, and more specifically credit card thieves in recent weeks. In March, a security firm “Ambionics” released a sample exploit code (80% functional) within days of Magento issuing an emergency security patch. The Magento community was less than pleased with Ambionics publication as any experienced programmer would need very little effort to render the provided code functional! Members of the Magneto community were quick to speak out, see below for an excerpt from Twitter:
Tomorrow, #Magento releases a patch for an unauthenticated #SQLi and #RCE we reported a few months ago. We’ll describe the vulnerabilities, and how they can be exploited, in our next blog post. Patch your systems ! pic.twitter.com/aGnZ2m4Zbu
— Ambionics Security (@ambionics) March 25, 2019
How the attack works:
The observed attack consists of two stages. The first one is a “blind SQL injection” where attackers enumerate the admin_user table using a large number of requests (50 to 100K). This table contains the hashed (unreadable) passwords. However, with sufficient computing power, it is possible to reverse the hashes into original passwords. Subsequently, after only a few short days, hackers own one or more of the admin logins. Stage two is designed to identify the Magento dashboard and simply login. Typically, Magento uses a random URL for the backend panel; however, another identified flaw in Magento is that this URL is not “hidden well” and therefore becomes exposed in the process of this attack. This issue was reported on the Magento Github repository and quickly removed by Adobe staff- Though not quickly enough as the vulnerability spread rapidly and hackers have been exploiting it for months!
Two Hacking Groups are Mainly Responsible:
According to Sanguine Security, there are 2 main hacking groups responsible for 90% of the alarming increase in the compromised Magento stores. June has been the most volatile month since this vulnerability has been identified.
What Magento 2.x Merchants Can Do:
Magneto Store merchants are strictly advised to implement emergency security measures, even if they are already up to date with security patches. Please see below for top-level recommendations and immediate actions that can be taken to insulate your M2 store from this malicious attack:
- Change all admin passwords, even if you have all updated security patches installed. Keep computer-generated complex passwords (10-12 characters) to ensure they will not be easily compromised.
- Your Magento 2.x stores should be updated with all the latest security patches.
- The latest versions will help. Update Magento to versions 2.3.1, 2.2.8 and 2.1.17, which contain the fix for this security flaw.
- Perform a code audit for any malicious/unauthorized coding or algorithm.
- Continuously keep your site supervised at all times and maintained by a team of certified Magento developers so that you can be alerted to and quickly remedy any breach in your M2 store.
If you need any help regarding the above points and to keep your store up to date. Our Magento Security and Maintenance experts can help you. Contact us now.