Hackers are targeting websites using the PrestaShop platform, leveraging a previously unknown vulnerability chain to perform code execution and potentially steal customers' payment information.

The PrestaShop team issued an urgent warning last Friday, urging the admins of 300,000 shops using its software to review their security stance after cyberattacks were discovered targeting the platform.

The attack appears to impact PrestaShop versions 1.6.0.10 or later and versions 1.7.8.2 or later if they run modules vulnerable to SQL injection, such as the Wishlist 2.0.0 to 2.1.0 module.

The actively exploited vulnerability is being tracked with the identifier CVE-2022-36408.

Attack details
The attack begins by targeting a module or an older platform version vulnerable to SQL injection exploits. PrestaShop's team has not determined where these flaws exist at this time and warned that the compromise might be caused by a third-party component too.

"We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability," explains the PrestaShop security advisory.

To conduct the attack, hackers send a POST request to a vulnerable endpoint followed by a parameter-less GET request to the homepage that creates a "blm.php" file at the root directory.

The blm.php file appears to be a web shell that allows the threat actors to execute commands on the server remotely.

In many observed cases, the attackers used this web shell to inject a fake payment form on the shop's checkout page and steal customers' payment card details.

After the attack, the remote threat actors wiped their tracks to prevent the site owner from realizing they were breached.

Security update released
If the attackers weren't diligent with the cleanup of evidence, compromised site administrators might find entries in the web server's access logs for signs that they were compromised.

Other signs of compromise include file modifications to append malicious code and the activation of the MySQL Smarty cache storage, which serves as part of the attack chain.

This feature is disabled by default, but PrestaShop has seen evidence of the hackers enabling it independently, so the recommendation is to remove it if not needed.

To do that, locate the file "config/smarty.config.inc.php" on your shop and delete the following lines:

Finally, upgrade all used modules to the latest available version and apply the PrestaShop security update released today, version 1.7.8.7.

This security fix strengthens the MySQL Smarty cache storage against all code injection attacks, for those who want to continue using the legacy feature.

However, it is important to note that if your site has already been compromised, applying the security update won't remediate the problem.

The information contained in this website is for general information purposes only. The information is gathered from BleepingComputer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.