Magento, Linux Ransomware and Tor

Just before Halloween, a critical vulnerability was found by Dawid Glounski[1] in Magento software[2].   The following blog post will talk about the vulnerability, how it’s being exploited in the wild and how “bad guys” are profiting from it.

Firstly, a bit of background information about Magento for those readers who don’t know what it is.  Magento is an open source, content management system used to produce e-commerce web sites.  It’s built from PHP and utilises elements of the Zend Framework[3]. The initial release of Magento was back in early 2008 and it is now owned by eBay[4].  Various well-known retail companies use Magento – Nike, Paul Smith, RosettaStone[5].  Magento claims ‘More than 240,000 merchants worldwide put their trust in our eCommerce software’ and ‘Magento Commerce is the leading platform for open commerce innovation with over $50B in gross merchandise volume transacted on the platform annually.’

Magento suffered from an ‘XXE’ injection vulnerability.  ‘XXE’ stands for XML eXternal Entity, it’s an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parsers. The application may be forced to open arbitrary files and/or network resources.  Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (e.g. when an 'expect' PHP module is installed) lead to command execution[6]

The original vulnerability was found in the Zend Framework and was assigned CVE-2015-5161[7].  Unfortunately (or fortunately, depending on what side you’re on), because Magento uses elements of the Zend Framework, it turns out that Magento inherits the vulnerable component as well. 

Now that we’ve covered the target and the vulnerability, we’ll take a peek into the world of cybercrime and find out how criminals are using this vulnerability to nefarious ends.  Enter ransomware for Linux.

The picture below shows a ransom note left by the attacker(s) stating that the victims files have been encrypted using a unique RSA-2048 public key.  To receive the private key and PHP script to decrypt the files, the victim must pay 1 bitcoin (~$240).  Then details to a Tor hidden service site[8] are presented to the victim.  As a bonus a “newbie version” of how to buy bitcoins is provided (how thoughtful of the attackers).

The following page is presented to the victim when they access the hidden service.

Ransomware has become more and more popular among criminals because of these two main reasons:

  •          Victims would rather pay the one off nominal fee.
  •          Law enforcement cannot help the victim.


Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office even stated:

“To be honest, we often advise people just to pay the ransom.”[9]

Searching for this file, Google gives 53,400 results of potentially infected hosts.  ProCheckUp believe the criminal(s) have been spreading this malware using other various software vulnerabilities as well as the Magento one we discussed earlier.  So there is a potential profit of $12,816,000 (£8,412,761) for the criminal(s), if every result is an infected server and the victim decided to pay the fee.

Cyber criminals have been using Tor hidden services as a safe haven as it helps mask their whereabouts.  However, there may be some light at the end of the tunnel for the victims.  An article was published by VICE which contained court documents that detailed the take down of various Tor users due to the FBI discovering their real IP address with the help of a university[11].  This new method to de-anonymise Tor users has not yet been revealed.  Although, a talk at BlackHat[10] by Alexander Volynkin and Michael McCord was to reveal how a $3000 piece of kit could unmask the IP addresses of Tor hidden services as well as their users.  Unfortunately, the talk was cancelled.

The following link gives advice on how to update to the latest Magento patch to fix this vulnerability:

ProCheckUp also recommends that regular backups are performed which will allow you to revert if your server becomes infected.














Back To listing