The prosecutor’s office has filed charges against several cybercriminals who exploited a critical vulnerability in the popular Magento electronic commerce platform. The bug, designated as CVE-2024-20720, allowed them to install a backdoor on the websites of online stores and steal buyers’ financial information.
CVE-2024-20720 is considered a very serious threat, with a rating of 9.1 out of 10 on the CVSS scale. Adobe, the developer of Magento, has stated that the issue is related to the “incorrect processing of special elements” and could result in the execution of arbitrary code on the server.
Despite efforts to eliminate the defect through updates released on February 13, 2024, cybercriminals managed to create a sophisticated malicious layout of the page that automatically introduced a backdoor into the database.
“Attackers are using Magento layouts along with the Beberlei/Assert library (set by default) to execute system commands,” Sansec stated in their report. “Since this malicious layout is connected to a shopping cart, the malicious script is triggered for each contact page/Checkout/Cart.”
The hackers utilized the SED command to insert the backdoor, which then loaded a malicious module for collecting valuable information – the so-called Strip Payment Skimmer.
The authorities have identified six members of the group responsible for this campaign: Denis Primachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. These hackers used skimming software to steal bank cards and payment information from foreign platforms, starting from late 2017.
“The members of the hacker group illegally obtained information from nearly 160 thousand payment cards belonging to foreign citizens, which they then sold through dark web sites,” reported the General Prosecutor’s Office of the Russian Federation.