Magento powers a significant chunk of the ecommerce industry and thus when something happens to the Magento platform, the entire ecommerce industry takes notice. Thus, when the news of the attacks on the Magento stores surfaced earlier, everyone connected to ecommerce took notice.
It seems that Magento 2 stores were the targets of a hack attempt in which the hackers exploited the “tried-and-tested” SQL injection vulnerability in Magento CMS. This gave them access to take over unpatched vulnerable sites.
Immediately after the issue surfaced, the Magneto team came up with a solution, but that does not mean that your Magento 2 store is still completely secure.
The target of attacks, including the SQL Injection technique employed in this instance is access to the Magento admin panel, through which the attackers can take over the store and all the stored data. This information is then used for further attacks or sold on the dark web.
The Solution From Experts
Team Magento has come up with the patch ‘PRODSECBUG-2198’ that they recommend should be used in combination with other standard Magento security best practices.
We went to others to discover what they have in mind for securing Magento stores from similar attacks.
- “First, ensure that you are on par with all security patches.
- Second, even if you already have patched: change all of your staff’s admin passwords right away, as they were likely stolen before you patched. Use computer-generated passwords of at least 10 characters. This will significantly extend the time required to break the hashes.
- Third, inspect your site for malicious code or unauthorized access. Our eComscan forensic scanner can be valuable here (it was developed to aid in our own investigations).
- Fourth, as long as Magento has not published a patch to hide the secret backend panel, you should implement extra protection. An IP restriction is recommended, use for example this plugin. If your staff uses dynamic IPs, it is recommended to have them use a VPN. This will not only guarantee a static IP but also enforce encryption.
- Finally, install a malware & vulnerability monitor so you will be alerted immediately when something is amiss.”
Let’s also take the opinion of Magento experts about this and what they have to say about all of this
“The sharp rise has been heavily linked to the release of a POC around PRODSECBUG-2198 within a few days of the patch release. The only real way to make sure that exploits aren’t exploited on your site would be to ensure you have a robust patching policy in place that is able to turn around UAT and production deployments within a very short timescale.
– Sign up to Magento’s security emails, follow hashtags on Twitter, and hang out in the #security channel of MagComEng on Slack.
– Apply patches to all stores/instances as quickly as possible whilst robustly testing your solution.
– Keep an eye on http://magento.stackexchange.com in case known issues with any patches arise.
– Use automated testing to ensure that the core areas of your site aren’t affected by patches.
– Utilize a third party such as Foregenix as soon as you think you have an issue.”
“It’s common to leave behind security vulnerabilities when you are rolling out new features and bug fixes in an open source code, which is easily accessible to everyone. Anyone can go through the code to sniff out the security bug. However, the more you vet the code for security issues, the less you launch a product with vulnerabilities. Also, there are many code contributions that the community is making which make it even more difficult to review them and eliminate security bugs entirely.
When there is a zero-day published or any unauthorized SQL injection or RCE comes out with Proof of Concept, it becomes very hard for the merchants to patch their store as soon as possible, because patching the Magento sites is not easy. It takes a lot of efforts and requires experienced Magento developers to do it and ensure nothing else gets broken. However, recently Magento is doing a great job in providing hotfixes which only includes code changes to fix the critical vulnerabilities only, like PRODSECBUG-2198.
As a merchant, when something like this comes out it is extremely important to patch the stores as soon as possible without any delay. Magecart and other Magento hacker groups actively scan most of the Magento websites to find the unpatched stores to enter their malicious scripts to steal customer credit card information. Once you are hacked, there is no going back. Your reputation gets harmed, and there could also be legal issues due to negligence if you do not act fast on these issues. Also, it’s an embarrassment to email all your customers about the security incident on your site, which is unfortunately common nowadays.
Things I would recommend to merchants when there is a security patch release:
– Make it a priority, ask your SI or in-house team to swiftly patch the store (of course with thorough testing on pre-prod/staging/dev environment first).
– Consider blocking the URLs if they are rarely accessed and only used to exploit the vulnerability (Example, “catalog/product_frontend_action/synchronize” URL was mostly used to exploit PRODSECBUG-2198)
– Actively monitor the server logs to look out for any suspicious activities. Block the offending IPs and maybe prevent the hack or at least reduce the risk.”
From all of the above opinions and suggestions, it is clear that the first priority of Magento administrators is to keep the Magento store safe from all suspicious activities and follow the essential security measures that experts recommend for securing online stores. In addition, do keep yourself updated with the recent Magento releases and always host your application on secure managed Magento server for enhanced security.