Tech News and Updates

Unpatched Magento systems face renewed TrojanOrder threat

Unpatched Magento systems face renewed TrojanOrder threat

Magento, a widely used eCommerce platform, has faced numerous security challenges over the years. Among these, the TrojanOrder exploit, originally identified in early 2022 as CVE-2022-24086 continues to be a significant concern for merchants and developers. Despite Magento's efforts to patch this vulnerability, recent reports suggest that some versions of Magento still remain vulnerable to this attack, posing a persistent risk to eCommerce operations.


The nature of the TrojanOrder exploit

The TrojanOrder exploit is a sophisticated attack that leverages a vulnerability in Magento’s template system. This vulnerability allows an attacker to inject malicious code into specific fields within the Magento platform, such as customer names or addresses. By doing so, attackers can execute code on the server, potentially gaining control over the entire website. The exploit typically begins with the creation of a fake order, where the attacker inputs code instead of legitimate customer details.


One of the key strategies employed by attackers is targeting payment methods that do not involve immediate online verification, such as checks or money orders. This allows them to bypass initial security measures, including those implemented by payment gateways like PayPal or Braintree, which would otherwise block such fraudulent activities.


Vulnerability in newer versions

While the CVE-2022-24086 vulnerability was addressed by Magento in 2022, there have been recent reports of similar attacks occurring on newer versions of the platform. Specifically, developers have observed that certain versions, such as Magento 2.4.6-p2, still experience these issues. This raises concerns that the patches may not have been fully effective, or that new attack vectors exploiting similar vulnerabilities have emerged.


In these recent cases, attackers have managed to upload files to the server, including scripts such as pdo.php, web_system.php, and cron_check.php. These files are typically used to establish a backdoor into the system, allowing attackers to maintain access even after security patches are applied. Such persistence highlights the need for ongoing vigilance and comprehensive security measures.


The growing threat landscape

The rise of TrojanOrder attacks in late 2022 was attributed to multiple factors. One significant driver is the availability of exploit kits on hacking forums. These kits enable less sophisticated attackers to execute these exploits with relative ease. As a result, the number of attacks has increased, with at least seven distinct Magecart groups identified as actively exploiting this vulnerability.


Moreover, the timing of these attacks is crucial. The holiday shopping season, particularly in November, is a prime time for eCommerce attacks. During this period, many online stores are focused on sales and scaling up operations, leaving less attention for security patches and upgrades. The high volume of transactions also makes it easier for attackers to slip through unnoticed.


How to identify if your Magento store has been attacked

In most cases, attacks using the TrojanOrder exploit have several telltale signs you can check to determine if your store has been targeted:


  1. Suspicious customer orders

One of the most common indicators of a TrojanOrder attack is the presence of unusual customer orders. These orders may include:


  • Weird or nonsensical customer names: Instead of regular customer details, you might find strange code snippets or system commands in the name, address, or other fields.
  • Invalid addresses: Addresses filled with random data or code injections, such as {{ var this.getTemplateFilter().filter($order.shipping_address.city) }} or similar strings.

  1. Unexpected new files on your server

Attackers often upload malicious files to your server as part of their exploit. You should regularly check for unfamiliar or suspicious files, especially in directories like the pub folder. Some of the files commonly associated with these attacks include:

  • pdo.php
  • web_system.php
  • cron_check.php

These files may allow attackers to maintain access to your site even after the vulnerability has been patched.


  1. New and unfamiliar admin users

After a successful attack, the intruder might create new admin users to gain persistent access to your store’s backend. Regularly audit your admin user list for any accounts you don’t recognize or didn’t create.


Steps for mitigation

For Magento store owners, the first line of defense is ensuring that all security patches are up to date. However, given the potential for previous undetected breaches, it is also essential to scan the server for any hidden backdoors or malicious files. Tools like backend malware scanners can be particularly effective in identifying these threats.


Additionally, Magento has recommended an emergency patch that can be implemented to block most TrojanOrder attacks. This involves adding specific code to the app/bootstrap.php file, which helps detect and prevent the execution of malicious scripts. However, this is only a temporary solution and should not replace the need for regular updates and comprehensive security practices.


Conclusion

The TrojanOrder exploit underscores the ongoing challenges in maintaining secure eCommerce platforms. Even with patches and updates, vulnerabilities can persist or evolve, requiring continuous attention and proactive measures. If you want to ensure your Magento system has the latest security updates and is fully protected, don’t hesitate to contact us. We’re here to assist with the maintenance of your Magento store and help you develop new, secure eCommerce solutions. Your security is our priority.


In our blog, we post technology-related articles bi-weekly. Follow us on Facebook and  Instagram to get notifications about updates.

Reading next

Credit card users report strange Shopify-Charge transactions
Introducing our new CMS Import/Export extension for Magento 2!

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.