![]() Running a website on the Internet is like having a house in a bad neighborhood. Sites will get compromised if they aren't patched and their software kept up-to-date. This is probably an issue where people haven't been keeping their software updated or otherwise following poor security practices. I haven't seen anything yet that's led me to believe this was caused by a new or unpublished vulnerability. They all needed a patch that was published earlier this year. The compromised websites that Magento has investigated were not up-to-date. shops, Neutrino exploit kit attacks hit thousands of Magento. I can't provide any pcaps related to the recent wave of Magento site compromises, although I did find some Neutrino EK from a different actor on Wednesday. Magento is an open-source e-commerce platform written in PHP. Shown above: HTTP GET request to the third URL. The HTTP GET request to the third URL ending with neitrino.php returned an iframe pointing to a Neutrino EK landing page. Shown above: HTTP GET request to the second URL. The HTTP GET request to the second URL ending with /app/?d22H returned HTML redirecting to another URL ending with neitrino.php (which I assume has a mistakenly spelled "neutrino"). The HTTP GET request to returned an iframe containing a URL ending with /app/?d22H. Upon closer examination, last week's traffic followed specific URL patterns. Shown above: Traffic I found on Friday, this time with IP addresses. Shown above: Flow chart for last week's infection chains. I've represented the traffic in a flow chart: Neitrino.php from the third malicious domain returns an iframe to a Neutrino EK landing page.Second malicious URL returns HTML redirecting to a third URL ending with neitrino.php.The URL to returns an iframe pointing to a second malicious domain.Pages from compromised sites have injected script pointing to a URL at.Bad actors behind this campaign compromise a Magento website.Last week's chain of events appears to be: Shown above: Other traffic I found, from Friday. Shown above: Traffic from the Malwarebytes blog entry. The example I can share doesn't have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry. The examples I've seen were similar, so let's review the traffic. The Malwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains. Buy your 2023 X Wake Ladies Neutrino Cable Park Wakeboard now Buywake Europe, Your Online Pro Wakeboard Store The 2023 X Wake Neutrino Cable Wakeboard is. Sucuri's blog has information concerning the compromised Magento servers, while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK. I've seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week. These compromised sites kicked off infection chains for Neutrino exploit kit (EK). Earlier this week, various blogs began reporting about compromised Magento-based e-commerce websites.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |