Threat actors are exploiting a zero-day vulnerability to perform code execution and potentially steal payment information from websites using the open source e-commerce platform PrestaShop.
The PrestaShop team issued an urgent warning urging the admins of 300,000 shops using its software to review their security policy after discovering the cyberattacks targeting the platform.
The attack affects PrestaShop versions 18.104.22.168 or later and versions 22.214.171.124 or later if they run modules vulnerable to SQL injection, such as the Wishlist 2.0.0 to 2.1.0 module.
The actively exploited vulnerability is tracked as CVE-2022-36408.
The threat actor begins the attack by targeting a module or an older platform version vulnerable to SQL injection exploits.
PrestaShop’s team has not determined where these flaws exist at this time and warned that the compromise might be caused by a third-party component too.
To conduct the attack, hackers send a POST request to a vulnerable endpoint followed by a parameter-less GET request to the homepage that creates a “blm.php” file at the root directory.
The blm.php file appears to be a web shell that allows the threat actors to execute commands on the server remotely.
The attackers used this web shell to inject a fake payment form on the shop’s checkout page and steal customers’ payment card details.
After the attack, the remote threat actors wiped their tracks to prevent the site owner from realizing they were breached.
If the attackers didn’t cleanup the evidence, then the compromised site administrators might find entries in the web server’s access logs for signs that they were compromised.
Other signs of compromise include file modifications to append malicious code and the activation of the MySQL Smarty cache storage, which serves as part of the attack chain.
This feature is disabled by default, but PrestaShop has seen evidence of the hackers enabling it independently, so it is recommended to remove it if not needed.
It is also highly recommended that the users must upgrade all used modules to the latest available version and apply the PrestaShop security update released now, version 126.96.36.199.
It is also important to note that if your site has already been compromised, applying the security update won’t remediate the problem.