May 5th, 2025
Who:
Sansec, an eCommerce security firm, discovered that multiple vendors—Tigren, Magesolution (MGS), and Meetanshi—were compromised. Attackers injected backdoors into 21 of their Magento extensions, impacting between 500 and 1,000 online stores, including a $40 billion multinational company.
What:
A coordinated supply chain attack introduced a backdoor disguised as a license check within files named License.php or LicenseApi.php. This backdoor allows remote code execution via functions like adminLoadLicense, enabling attackers to upload and execute arbitrary PHP code on affected servers.
Impact:
Hundreds of eCommerce sites are running compromised software.
Potential for data breaches, unauthorized admin account creation, and malware deployment.
Vendors' responses varied:
MGS: No response; backdoored packages remain available.
Tigren: Denied the breach; compromised extensions still online.
Meetanshi: Acknowledged a server breach but claimed their software wasn't tampered with.
Recommendations:
Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
Where possible, enable passwordless authentication methods (e.g. Microsoft Authenticator).
Educate end users about preventing malware infections, practicing the principle of least privilege, and building credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of unwanted applications.
Software Developers and WebAdmins should verify both License.php and LicenseApi.php files for the existence of the adminLoadLicense function, and other associated IoC's.
Read the full article HERE