Sansec Uncovers Supply Chain Attack via 21 Backdoored Magento Extensions

A recent discovery by cybersecurity firm Sansec has shed light on a sophisticated supply chain attack that compromised multiple vendors, including a $40 billion multinational. The attack involved 21 backdoored Magento extensions that were published between 2019 and 2022.

According to Sansec researchers, the malicious code was injected into the download servers of three major vendors – Tigren, Magesolution (MGS), and Meetanshi – allowing threat actors to take over customers' e-stores. The attack is believed to have compromised between 500 and 1,000 e-stores worldwide.

The researchers discovered that the backdoor was hidden in the extensions for approximately six years, with the attack itself being uncovered this week after the threat actors compromised the e-commerce servers. Sansec's lead researcher, Alexandra Zota, first identified the attack, which is considered one of the worst types of supply chain attacks.

The Attack: A Supply Chain Nightmare

The attack involved a fake license check in a file called License.php or LicenseApi.php, allowing attackers to control the $licenseFile variable. In older versions (2019), this required no authentication, but newer versions require a secret key.

The fake license check was activated via registration.php, and each vendor's backdoor had a unique checksum, path, and filename. The malicious code executed the $licenseFile as PHP using the adminLoadLicense function, which allowed attackers to control the file using the adminUploadLicense function in versions from 2019.

The Impacted Vendors: A Mixed Response

Sansec contacted the impacted vendors and received different responses. Tigren denies being hacked, yet their packages are still online. Meetanshi claims no tampering but confirms their server was hacked. Magesolution (MGS) did not respond, but backdoored packages are still available.

"It is rare that a backdoor remains undetected for 6 years, but it's even stranger that actual abuse has only started now," concludes the report. The incident highlights the importance of regular security audits and updates to prevent such attacks in the future.

The Backdoored Extensions: A List of Vulnerable Packages

Below are the backdoored extensions that were published between 2019 and 2022:

  • Tigren
  • Magesolution (MGS)
  • Meetanshi

A Call to Action: Protect Your E-commerce Security

This incident serves as a reminder of the importance of prioritizing e-commerce security. We recommend that all e-commerce owners and administrators take immediate action to secure their platforms by:

  • Conducting regular security audits
  • Keeping software up-to-date
  • Prioritizing patch management
  • Implementing strong authentication measures

Stay vigilant and protect your e-commerce security to prevent such attacks in the future.