An XML backdoor to Magento is being actively exploited, and Augur predicted 3 key IPs associated with it - providing advance protection to our subscribers. Read this post to find out more.

The Magento XML backdoor is a critical vulnerability allowing attackers to inject malicious code into the platform. It exploits Magento’s layout parser and default packages to execute commands when a checkout cart is accessed. The backdoor reinfects systems by modifying the CMS controller, even after attempts to remove it. Attackers can achieve remote code execution, compromising stores by embedding skimmers to steal payment data. This vulnerability persists across Magento versions unless patched, posing a serious threat to e-commerce businesses. For full details, visit Sansec's article.

Here’s What Augur Predicted

‍

In Q2 2023, Augur predicted CIDR 45.146.54.0/24 would be malicious, and first confirmations of IPs in this CIDR started in January 2024. Three IPs belonging to this CIDR were then reported as part of the Magento XML backdoor in April 2024.

45.146.54.67  (reported by ESTsecurity, MalwareURL, SOCRadar, Webroot and ArcSightThreat Intelligence)

45.146.54.59 (reported by ESTsecurity, MalwareURL, SOCRadar, Webroot and ArcSightThreat Intelligence)

45.146.54.61 (reported by CRDF,  ESTsecurity, MalwareURL, SOCRadar, Webroot and ArcSightThreat Intelligence)

CIDR 45.146.54.0/24 has been very active in terms of reported malicious activity, with 185 of 256 IPs having been reported as malicious within the first year of the CIDR being registered. This makes a very clear case for blocking at a CIDR level based on predictions rather than waiting for individual IPs to be confirmed by third-party threat research.

This CIDR is part of ASN 206092 (SECFIRESWALLAS, UK), which, at present, contains more than 150 CIDRs that 3rd party threat researchers have reported as containing malicious IPs. This indicates a reasonable level of likelihood that this is a bulletproof hoster.

As always, if you haven’t already blocked these IPs we highly recommend you do so.

Get Zero-day Protection Today!

You can learn more about how Augur predicts the future here and how it provides unique protection against emerging vulnerabilities, novel threats and zero-day exploits. If you want to talk to someone about how Augur’s predictive intelligence can improve your overall security posture, email us at augur@seclytics.com.

‍

Stay in the Loop

To stay up to date on all the latest SecLytics news and events, check out our blog or, even better, follow us on LinkedIn!