Adobe is beseeching its Magento 1 eCommerce platform user to upgrade to the latest version of Adobe Commerce after a massive breach of over 500 stores built on the platform. Security company Sansec discovered the breach.
Speaking with tech publication ZDNet, Adobe said that it ended support for Magento 1 on June 30, 2020. It continues to encourage merchants on the old platform to upgrade to the latest Adobe Commerce version, which has better security, is more flexible, extensible, and scalable.
Any upgrade of this kind would require investing some money, which could be holding back some merchants.
Adobe wants you to upgrade
Adobe recommends that at the very least, merchants on Magento 1 should upgrade to the latest version of Magento Open Source, which is built on Magento 2 and to which the company applies essential security updates.
On Tuesday, Sansec released its findings showing that hundreds of stores were hit by a payment skimmer loaded from the naturalfreshmall.com domain.
The security company spoke to identified victims of the attack to collaborate on finding a common point of entry to thwart any new attacks.
Use malware scanners
The investigation found that the attackers combined an SQL Injection and PHP Object Injection attack to take over the Magento stores. Attackers leveraged a known leak in the Quickview plugin. Even though the vulnerability is typically used to inject rogue Magento admin users, the attacker(s) used it to run code directly on the server.
Sansec found that in one attack, the attacker left 19 backdoors on the system. The recommendation by the security company to victims is to use a malware scanner to find all malicious files or Magento code that is edited to include malicious code.