




















Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.
| Vendor | Package |
|---|---|
| Tigren | Ajaxsuite |
| Tigren | Ajaxcart |
| Tigren | Ajaxlogin |
| Tigren | Ajaxcompare |
| Tigren | Ajaxwishlist |
| Tigren | MultiCOD |
| Meetanshi | ImageClean |
| Meetanshi | CookieNotice |
| Meetanshi | Flatshipping |
| Meetanshi | FacebookChat |
| Meetanshi | CurrencySwitcher |
| Meetanshi | DeferJS |
| Meetanshi | OutofstockNotifier |
| MGS | Lookbook |
| MGS | StoreLocator |
| MGS | Brand |
| MGS | GDPR |
| MGS | Portfolio |
| MGS | Popup |
| MGS | DeliveryTime |
| MGS | ProductTabs |
| MGS | Blog |
We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.
This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.
We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
If you use software from these vendors, you should check your store now. The backdoor consists of a fake license check in a file called License.php or LicenseApi.php.
The evil is in the adminLoadLicense function, which executes $licenseFile as PHP.
protected function adminLoadLicense($licenseFile)
{
// ...
$data = include_once($licenseFile);
// ...
}
The $licenseFile can be controlled by the attacker using the adminUploadLicense function. In versions from 2019 this does not require any authentication. In later versions this requires a secret key that must match the hardcoded checksum and salt:
class License {
const SECURE_KEY = '83ba291cd9201e9a28173741bac82745';
const SIGN_KEY = 'afa3a778bd34181c44f2dfe1de8aff05';
The fake license check is explicitly activated via registration.php.
<?php
\Magento\Framework\Component\ComponentRegistrar::register(
\Magento\Framework\Component\ComponentRegistrar::MODULE,
'Meetanshi_CookieNotice',
__DIR__
);
if (file_exists(__DIR__ . DIRECTORY_SEPARATOR . 'Model/System/Config/Source/Box/License/License.php')) {
include_once(__DIR__ . DIRECTORY_SEPARATOR . 'Model/System/Config/Source/Box/License/License.php');
}
The backdoor code is the same for all found packages, except for:
| Vendor | Meetanshi | MGS | Tigren | Weltpixel |
|---|---|---|---|---|
| Secure Key | 05aafe4... | 83ba291... | e7c057dd... | 47946a7... |
| Sign Key | f31d647... | afa3a77... | 313bedf... | 52dd8df... |
| License Filename | mtn-license | mgs-license | apj-license | wlp-license |
Sansec’s eComscan detects this malware out of the box. If you find a backdoor on your store, you can safely remove the fake License file. If you still have the original source in a zip file (particularly WeltPixel), please share it with us for further analysis.
At this point, we recommend to be extremely cautious when using software from these vendors.
Magesolution (MGS) did not respond, but the backdoored packages can still be downloaded from their site as of Apr 30th.
Tigren denies to have been hacked, but the backdoored packages are still available on their site as of Apr 30th.
Meetanshi claims that their software has not been tampered with, but confirmed that their server got hacked.
It is rare that a backdoor remains undetected for 6 years, but is even stranger that actual abuse has only started now.
We will update this post when we learn more.
Need help or want a second opinion? Get in touch.
Special thanks to Alexandra Zota for discovering the initial abuse.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。