Exploits found for Magento 2.3.2

Last month, Magento released an important update; Magento 2.3.3. The changelog for that version contained a large number of critical security updates to stop Remote Code Execution (RCE), a type of bug that allows cybercriminals to 100% take over and control your webshop, including one that is marked to be exploitable by any visitor.
Magento, of course, advised everyone to update, but many people did not yet do so, hoping they’d still be safe.

And, since no exploits for these bugs were known yet, they were. While the update fixes a large number of issues, most of these are issues are discovered by security researchers through Magento’s Bug Bounty program, allowing them to be fixed before cybercriminals discover them, and as such most of the issues have never been exploited in the wild.

CVE-2019-8144 – RCE through Page Builder

Over the last week, however, we’ve noticed a sharp increase in probes on specific Magento 2 URLs, linked to one of the bugs fixed in Magento 2.3.3. We contacted some partners of ours, and through the grapevine learned that cybercriminals have reverse engineered the provided patches, developed an exploit, and are actively attacking shops.

Sharp increase in probes on specific Magento 2 URLs

What did we do?

Luckily we have plans in place on how to deal with dangerous exploits like this. This allows us to quickly take action to protect all our customers, when we learn about threats like this. And even though it was late at night, our technicians instantly went to work.

The first 30 minutes

The first thing we did was identify the endpoint and payloads used by the exploit. With that information, we can start developing countermeasures against it. And, at the same time, we worked to identify all the Hypernodes that had been probed already.

Twenty minutes later, we rolled out the first security patch to all Hypernodes that had been probed in the last month, securing them against further probes and attacks.
Once we had a list of all the Hypernodes that got probed, we were able to identify the IP addresses used in this attack, and block them globally on all Hypernodes. With that, 100% of the Hypernodes were now secure from attacks by these criminals.

The next hour

With the initial targets of the exploit secured against further attacks, we scanned all the Hypernodes that had been probed. Since we knew the methods used by the exploiters, we knew where to look for traces and logs of their work. Because of this, we now know that none of the probed Hypernodes had actually been hacked, and that their data is still secure.

With the current attack blocked on the Firewall level, we prepared a permanent fix that we could deploy to all customers.

The next morning

With the current exploiters blocked, we took another look at the countermeasures we placed last night, made some slight improvements, and placed them in the pipeline to be deployed to every single Hypernode over the next couple of hours.

What should you do

While we worked hard to keep your data secure, the most important thing to do here, is Update, Update, Update. The firewall rules block the current IP’s, but those can change. The countermeasures block the current exploit, but those can change. The only way you can be sure to be safe from this attack, is to Update your Magento 2. The only safe versions are Magento Commerce and Open Source 2.3.3, 2.3.2-p1 and 2.2.10. If you have not yet updated to that, we highly advise you to do so ASAP.