Attackers Pummel Millions of Websites via Critical WooCommerce Payments Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


Attackers Pummel Millions of Websites via Critical WooCommerce Payments Flaw


A barrage of targeted attacks against vulnerable installations peaked at 1.3 million against 157,000 sites over the weekend, aimed at unauthenticated code execution.



Attackers have been exploiting a critical flaw in the WordPress WooCommerce Payments plug-in in a spate of attacks over the last few days that peaked at 1.3 million attempts against 157,000 sites on July 15, researchers have found.
Researcher Michael Mazzolini of GoldNetwork discovered flaw — tracked as
CVE-2023-28121
and rated as 9.8 out of 10 on the CVSS vulnerability rating scale — in March while doing
white-hat testing
through WooCommerces HackerOne program. Exploit code soon followed, particularly from RCE Security, which released
a blog post
earlier this month detailing how to take advantage of the flaw.
The issue specifically affects the WooCommerce Payments plugin for WordPress, versions 5.6.1 and lower, allowing an unauthenticated attacker to elevate privileges and send requests on behalf of administrator, thus gaining admin access on a site that has an affected version of the plugin activated.
WooCommerce Payments, which provides functionality to online stores to accept payments through credit cards, debit cards, and Apple Pay, is installed on more than 600,000 sites. The payment plugin is no stranger to being
under attack
, but typically attackers have targeted it as part of a broader
Magecart skimming attack
that also affects other payment systems.
WooCommerce patched the flaw soon after its discovery through an auto-update to WordPress sites running WooCommerce Payments 4.8.0 through 5.6.1. However, users running affected versions on non-WordPress.com needed to install the update to patch, and if they didnt, the sites remain vulnerable.
Attackers have been taking full advantage of those vulnerable sites over the last few days, in a string of attacks that are unusual in that they appear to be highly targeted rather than random, Wordfence revealed in a
blog post
on July 17.
Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites, Wordfences Ram Gall wrote in the post.
Wordfence researchers saw the first warning signs of the barrage several days before the main wave through an increase in plugin enumeration requests that searched for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.
While the majority of actual attacks came from a handful of IP addresses, which were shared in the post, the readme.txt requests were distributed over thousands of IP addresses. However, only about 5,000 IP addresses sent both readme.txt requests and actual attacks, Gall reported.
Common to all exploits targeting the WooCommerce Payments vulnerability was the header, X-Wcpay-Platform-Checkout-User: 1, which causes vulnerable sites to treat any additional payloads as coming from an admin, Gall said.
Many of the requests weve seen using this appear to be attempting to use their new administrative privileges to install the
WP Console
plugin, which can be used by an administrator to execute code on a site, he wrote.
Once that plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence, Gall said. The payload observed by Wordfence researchers has an MD5 hash of fb1fd5d5ac7128bf23378ef3e238baba when saved to the victim filesystem, something the Wordfence scanner has provided detection for it since at least July 2021, he said.
We have also seen attackers creating malicious administrator users with randomized alphanumeric usernames such as ac9edbbe, Gall wrote.
The exploit attack outlined by Julien Ahrens, the self-appointed hacker behind RCE Security, triggers the vulnerability in the determine_current_user_for_platform_checkout() function, where the plugin checks for the existence of the X-WCPAY-PLATFORM-CHECKOUT-USER request header, he explained in his post. If its present, WooCommerce simply returns the headers value, which represents the determined user.
This allows an attacker to trick WordPress into thinking that an unauthenticated user is actually authenticated, by setting the X-WCPAY-PLATFORM-CHECKOUT-USER request header and pointing it to a userId, Ahrens explained.
What happens under the hood is that the hook effectively tells WordPress which user the request came from, he wrote. Since we have the userId under our control, we do now have an easy way to impersonate any user which is active/enabled on the WordPress instance, including administrators.
Thus, once an attacker achieves admin impersonation, the entire WordPress instance can be compromised, he said. An attacker can determine if the exploit was successful based on the HTTP response code; if its 201, then it will return the user object of the newly created user, which can then be used to authenticate against WordPress administrative backend, Ahrens said.
If a case occurred in which the targeted, impersonated user doesnt exist anymore or is disabled, an attacker will need to either query the /wp-json/wp/v2/users API method to get a list of active users or simply brute force through the userIds, he added.
Anyone using an affected version of WooCommerce Payments is encouraged to ensure the plugin is updated to the latest version, which patches the flaw. The company outlined flaw details and mitigation in a blog post published in March, when the flaw was discovered.
Once users ensure that the version of WooCommerce that theyre using is secure, they should check for evidence of any unexpected admin users or posts on their site,
WooCommerce recommends
. If they find any, they should update admin passwords, as well as rotate any API keys used on the site, including
the WooCommerce API key
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Pummel Millions of Websites via Critical WooCommerce Payments Flaw