Hackers are targeting websites using the PrestaShop platform, leveraging a previously unknown vulnerability chain to perform code execution and potentially steal customers’ payment information.
The PrestaShop team issued an urgent warning last Friday, urging the admins of 300,000 shops using its software to review their security stance after cyberattacks were discovered targeting the platform.
The security advisory describes how the attacks take place. “The attack requires the shop to be vulnerable to SQL injection exploits”, said PrestaShop’s team. “To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.”
To conduct the attack, hackers send a POST request to a vulnerable endpoint followed by a parameter-less GET request to the homepage that creates a “blm.php” file at the root directory. The blm.php file appears to be a web shell that allows the threat actors to execute commands on the server remotely.
In many observed cases, the attackers used this web shell to inject a fake payment form on the shop’s checkout page and steal customers’ payment card details. After the attack, the remote threat actors wiped their tracks to prevent the site owner from realizing they were breached.
The PrestaShop post recommends shop owners to take action. “According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector,” they write.
“This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.”