sortiwa
Facepalm: Supply chain attacks can remain dormant for extended periods before striking their target, but they typically don’t take years to achieve their objectives. However, a recently uncovered attack managed to stay undetected for a record-breaking length of time.
At least three vendors of e-commerce software tools were compromised in a coordinated supply chain attack dating back at least six years. According to security firm Sansec, the unknown attackers injected a dangerous backdoor into the vendors’ products, only taking control of third-party e-commerce servers a few days ago.
The backdoor ultimately infected hundreds of e-commerce websites, with Sansec estimating between 500 and 1,000 total victims. The affected sites include both small businesses and large enterprises – including one $40 billion multinational corporation that Sansec declined to identify.
The compromised vendors offer extensions for Magento, the open-source e-commerce platform acquired by Adobe several years ago. Sansec reported that servers belonging to Tigren, Magesolution, and Meetanshi were breached, with the attackers injecting backdoors into their download systems.
Analysts also discovered a tampered version of the Weltpixel GoogleTagManager add-on. However, it’s still unclear whether Weltpixel’s systems were directly compromised or if only end-user e-commerce stores were affected.
Sansec described supply-chain attacks as one of the most severe threats facing online systems. After compromising the vendors’ servers, the cybercriminals gained access not only to the vendors’ customers, but also – by extension – to all end users visiting the affected e-commerce stores. Once activated, the backdoor executed its malicious payload in users’ browsers, stealing payment information in a manner reminiscent of a typical Magecart attack.
The security firm has published instructions to help website operators determine whether their e-commerce platforms have been compromised by this new supply-chain campaign. One key indicator is a PHP function that attempts to load a file named “$licenseFile”, which initiates a chain of execution ultimately leading to the injection of malicious PHP code.
Sansec said it attempted to alert the affected add-on vendors. Despite the warning, both Tigren and Magesolution reportedly continued distributing the compromised versions of their tools. Meetanshi, on the other hand, acknowledged the breach, but none of the companies provided further comment or answered follow-up questions. As Sansec noted, that’s hardly reassuring behavior from vendors claiming to offer solutions to “help online stores succeed” in the competitive world of e-commerce.
Source link