Backdoor found in popular ecommerce components
Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software. Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022. Vendor Package Tigren Ajaxsuite Tigren Ajaxcart Tigren Ajaxlogin Tigren Ajaxcompare Tigren Ajaxwishlist Tigren MultiCOD Meetanshi ImageClean Meetanshi CookieNotice Meetanshi Flatshipping Meetanshi FacebookChat Meetanshi CurrencySwitcher Meetanshi DeferJS MGS Lookbook MGS StoreLocator MGS Brand MGS GDPR MGS Portfolio MGS Popup MGS DeliveryTime MGS ProductTabs MGS Blog We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers. This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores. We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
