Self-Healing Malware Targets Magento Stores

This week, the Alert Logic ActiveIntelligence team highlights how Charging in Public Ports Can Compromise Your Phone and how a Self-Healing Malware Targets Magento Stores.

Breach

Charging in Public Ports Can Compromise Your Phone

Beware of public phone-charging stations such as those found in airports. Charging your phone in public ports and outlets could be giving hackers access to access to your device, and you wouldn't even know it. It is a type of cyber attack known as “juice jacking.” If you plug your phone into a USB port that has been hacked, you might unwittingly share everything on your phone with a criminal. That includes your email, text messages, photos, and contacts. There's no limit to what information they have access to.

Instead, it’s recommended to use your own charger or investing in a portable USB battery pack to avoid using USB ports and charging outlets.

References:  WARNING: Charging in Public Ports is Compromising Yourself and Your Phone |  Charging Stations Might Expose Your Phone to Hackers |  Charging Phones In Public Ports Leaves You Open To Hackers

Mitigation Strategies:

  • Log management could detect any suspicious user account activity
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management, and advanced anomaly detection.
  • AWS Identity and Access Management (IAM) to control who can use your resources, what resources they can use and in what ways.
  • Netflow traffic shows large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity

Malware

Self-Healing Malware Targets Magento Stores

A newly discovered piece of malware targeting Magento stores has a self-healing routine to restore itself after deletion. The malware steals user card information and starts execution whenever a user places a new order. While this is not the first web malware that hides code in the website's database, this is the first one that is written in SQL, as a stored procedure.

Store owners are advised by security specialists to scan their shops via MageReport and the Magento Malware Scanner, which have received updates to detect this new class of malware.

References:  New Self-Healing Malware Targets Online Shops Running on Magento  |  Magento Stores Targeted by Self-Healing Malware That Steals Credit Card Details |  Self-Healing Malware Hits Magento Stores

Mitigation Strategies:

This Week's Suspicious IP Addresses

218.65.30.46 183.214.141.105
119.252.161.172 81.183.56.217
218.65.30.210 188.118.2.26

*IP addresses provided by Recorded Future.