Huge numbers of web stores are facing attack from this dangerous new malware

PolyShell, a newly discovered vulnerability in certain Magento Open Source and Adobe Commerce installations, is now being actively used in attacks against a large number of websites, researchers are warning.

A new vulnerability has been found affecting stable version 2 installations of the abovementioned software, allowing threat actors to execute malicious code without authentication, and take over user accounts.

Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.

Targeting a $100 billion company

At the time, security researchers Sansec advised website admins to restrict access to pub/media/custom_options/ folders, verify that nginx or Apache rules prevent the access, and scan stores for uploaded malware and backdoors.

They also said that at first, there was no evidence of abuse in the wild, but stressed that an exploit method was “circulating already”.

Now, it appears that the predictions were true, as Sansec says more than half of all vulnerable stores are being targeted.

“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.

In some of the attacks, threat actors would deploy a credit card skimmer that was not seen before. This skimmer apparently uses Web Real-Time Communication (WebRTC) to exfiltrate data, which is a rather novel approach. As BleepingComputer explained, WebRTC uses DTLS-encrypted UDP rather than HTTP, making it better at evading security controls “even on sites with strict Content Security Policy (CSP) controls like ‘connect-src.’”

The skimmer was built in JavaScript and connects to a hardcoded C2 server, from which it receives a second-stage payload. It was first spotted on an ecommerce website belonging to a carmaker valued at over $100 billion.

Via BleepingComputer