Low hanging ‘Forbidden’ fruits: Post-compromise tool targets unguarded Magento flank

Newly discovered utility provides way to plant backdoors in e-commerce back end systems

Security researchers have discovered a post-compromise tool that enables attackers to view orders, gain administrative access, and create additional backdoors on Magento-powered websites.

Called ‘Forbidden’, the tool is also effective at concealing tell tail indicators of compromise, according to a blog post by web security company Sucuri.

Forbidden can be used in both Magento 1 and Magento 2 environments, the older of which reached its end of life on June 30.

Luke Leal, a malware researcher at Sucuri, said malicious hackers have been busy developing post-compromise tools in the knowledge that “websites are straggling with their Magento migrations”.

Read more of the latest e-commerce news

A recent scan of around 240,000 Magento merchants around the world by cybersecurity firm Foregenix found that nearly 200,000 e-commerce websites have yet to migrate to Magento 2.

Published on August 24 the scan results (PDF) also revealed that 94% of Magento 1 installations, and 46% of Magento 2 builds, have either already been hacked or pose a ‘high’ risk of being compromised because of unaddressed security shortcomings.

Malicious functions

Forbidden “allows an attacker to quickly perform a number of malicious functions including adding an admin user, modifying existing users, viewing orders, dumping the website’s configuration data, and removing itself once the attacker is finished with it,” explains Leal.

The dump function allows the attacker to rapidly acquire the configuration file and database configuration information such as admin username, email address, and the password hash. Attackers can also access the encryption key used by Magento for encrypting data like the admin user password.

“It’s in an attacker’s best interest to maintain unauthorized access to the site’s environment for as long as possible, and backdoor tools such as these help them exploit a website’s resources, evade detection, and conceal indicators of compromise,” says Leal.

“This tool also facilitates the creation of malicious users, essentially creating other backdoors on the website’s environment.”

A proactive approach to security is imperative, says Leal, given the difficulty of handling the fallout of a Forbidden-enabled system compromises.

“Finding and removing website backdoors is not an easy task,” he explains. “The best way to mitigate risk of having a backdoor planted in your Magento environment is to harden your environment to protect against compromise in the first place.”

Rich pickings

Of the Magento websites scanned by Foregenix, 271 sites were infected with malicious code loaders, while 167 had payment card skimmer malware installed. Of those infected by card harvesting malware, 79.9% were running Magento 1 and 20.1% were powered by Magento 2.

At current migration rates, attackers will have plenty of Magento 1 sites to target for some time to come. The Daily Swig reported on July 15 that around 201,000 environments were still running Magento 1, only marginally down from 206,000 on May 27.

The malicious code deployed by Forbidden differs depending on the release line installed.

Optimizing attacks to the relevant version “is especially important when Forbidden needs to run SQL queries on the Magento database – for example, when adding a malicious admin user the tool uses an if/else statement based on the value of $isM2 (whether it’s Magento 1 or 2),” says Leal.

The tool determines which Magento version a website is running by checking the Magento configuration file.

The Daily Swig has contacted Sucuri for further comment and will update the article if and when we hear back.

READ MORE Magento security: Adobe patches six critical flaws in e-commerce platform