Hackers exploit a 0-day vulnerability in the open-source e-commerce platform PrestaShop and introduce web skimmers to websites designed to steal sensitive information.
Last Friday, the PrestaShop team issued an urgent warning, urging the administrators of the approximately 300,000 stores using the software to be more vigilant about security as attacks were discovered targeting the platform.
Let me remind you that we also wrote that New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores, and also that Dutch shops run out of cheese due to a ransomware attack.
Apparently, the attacks affected PrestaShop version 126.96.36.199 or later, as well as version 188.8.131.52 or later, but only when running a module vulnerable to SQL injection, for example, Wishlist 2.0.0-2.1.0.
Typically, such attacks start with the hackers sending a POST request to the vulnerable endpoint, followed by a parameterless GET request to the home page, which creates a blm.php file in the root directory. This file is a web shell and allows attackers to remotely execute commands on the server.
In many cases, attackers have been known to use this web shell to inject a fake payment form into the checkout page (web skimmer) and steal customer payment card details. After the attack, the hackers covered their tracks so that the site owner would not realize that the resource had been hacked.
PrestaShop developers say that traces of a compromise can still be found if hackers are not too zealous in destroying evidence. For example, traces of criminals can be found in the web server access logs, file modifications to add malicious code can be seen, as well as the activation of the MySQL Smarty cache, which is part of the attack chain. This feature is disabled by default, but the researchers say the hackers turned it on themselves and recommend removing it altogether if it’s not needed.
All store administrators are advised to install the latest security update (PrestaShop version 184.108.40.206) as soon as possible, as well as they should update all modules used to the latest versions.
At the same time, PrestaShop maintainers emphasize that they discovered and fixed a zero-day vulnerability in the new version, but they “cannot be sure that this is the only way to carry out attacks.” The discovered vulnerability received the identifier CVE-2022-36408.