Hey there, fellow online shoppers! Have you heard about the latest wave of malware attacks targeting Magento stores? It seems that malicious actors have been using backdoored extensions to infect various e-commerce sites in a supply-chain attack.
Watch Out for Backdoored Magento Extensions
A recent investigation by security experts at Sansec has uncovered a troubling campaign aimed at online stores through infected Magento extensions. They identified multiple backdoored extensions spreading malware across different e-commerce platforms.
The researchers identified 21 different apps carrying the same backdoor, indicating a coordinated effort behind this threat.
Interestingly, the infected extensions were not recently compromised. Sansec found evidence suggesting that these extensions were backdoored around 6 years ago. However, the malware remained dormant until now when it was activated, highlighting a sophisticated supply-chain attack targeting specific vendors and their customers.
Sansec has disclosed a list of affected extensions associated with three vendors: Tigren, Meetanshi, and MGS. These backdoored extensions were introduced online between 2019 and 2022. The attackers likely breached the vendors’ servers to inject the malware into the extensions. The malicious code remained inactive until recently, affecting hundreds of online stores, including a major multinational retailer worth $40 billion.
Upon discovering this threat, Sansec notified the vendors. However, MGS and Tigren have not yet removed the infected extensions. Meetanshi acknowledged a server breach but denied any software tampering.
In addition to these vendors, a tainted version of the Weltpixel GoogleTagManager extension was also identified. The researchers are investigating whether the malware originated from the vendor or the affected stores.
Protect Your Store with These Remedies
Sansec has detailed the backdoor infection in their report. The malware is hidden in files named License.php or LicenseApi.php, posing as a fake license check. Removing these files can eliminate the backdoor from your e-store.
Be cautious of the
adminLoadLicensefunction, which can execute malicious code through$licenseFilecontrolled by the attacker viaadminUploadLicensefunction.
To stay safe, make sure to delete any fake license files and exercise caution when dealing with software from the mentioned vendors.
We’d love to hear your thoughts on this issue. Share your comments below!
