New ransomware called KimcilWare is targeting websites running the Magento ecommerce platform, used by the likes of Vizio, Olympus and Nike.
According to security experts from the online community BleepingComputer, hackers exploit vulnerabilities in the Magento ecommerce platform and install the KimcilWare ransomware on the webserver. Once installed, attackers use Rijndael block ciphers to encrypt website files and demanding Bitcoin payment ranging from $140 USD and $415 USD for decryption.
Campell, Calif.-based Magento, which is used by more than 200,000 companies according its website, offers ecommerce solutions including backend order management, online retail solutions and community tools. In a statement to Threatpost, Magento said it believes attackers are not singling out Magento and that attacks are targeting “more general web server vulnerabilities.”
“While there are reports circulating about ransomware focused on Magento shops, we do not believe that there is a new attack vector, nor do we believe that this issue is specific to Magento,” the statement read.
MalwareHunterTeam said that it knows of 10 sites that have been attacked by KimcilWare. The first known attack was on Feb. 11 and made public by what MalwareHunterTeams believes to be the hacker on the site Zone-h. More recently, on March 3, a Magento customer posted its run-in with KimcilWare ransonware.
Magento counters MalwareHunterTeam’s assertion, stating it’s only aware of four sites that have been impacted by the ransomware. “There has been no increase in that number (of infections) since its initial discovery,” Magento wrote.
MalwareHunterTeam said it was unaware if the impacted sites on its radar screen were running the most recent patched version of the Magento software. However, in one instance, the MalwareHunterTeam said a site was running the most recent version of the Magento software. But the team pointed out it was unclear what the configuration of the server was making it hard to determine exactly what caused the vulnerability.
“We do not know if the site was using shared hosting or not. If shared hosting was used and not well configured, attackers could get in easily from hacking anything vulnerable on the server,” the MalwareHunterTeam told Threatpost in written correspondence.
On one Magento user forum, a customer posted he installed a clean and up-to-date version of Magento software on his server and was infected by KimcilWare. He theorized it was tied to a Helios Vimeo Video Gallery extension used on his site.
Magento said there is no evidence that a Magento extension is being used as attack vector. “We removed that extension as a precaution and scanned for malware, but have found no evidence of malware,” it wrote. The statement did specify which extension was scanned.
Who is behind the attacks and how they are penetrating the Magento platform is still an unknown. However, MalwareHunterTeam has discovered a few clues such as the fact attackers are gaining access to targeted servers via what are called web shells. “The ‘hacker’ is using web shells which are usually used by automatic attacker tools, and if the web shells was successfully uploaded, the hacker gets an email of it,” wrote MalwareHunterTeam.
Web shells are small programs or scripts that an attacker can install on vulnerable servers. They can then be used by the attacker to run system commands via a web-based interface.
The malware is easy to spot, encrypting all data on the Magento server with the .kimcilware extension. Attackers then insert an index.html file that contains the ransom note demands, according to BleepingComputer, another security firm that has documented the attacks.
BleepingComputer does not know the precise origin of KimcilWare, but believe it is tied to the open-source ransomware sample called Hidden Tear. Hidden Tear was released in August 2015 for education purposes by Turkish security researcher Utku Sen and inspired a flurry of spin offs. MalwareHunterTeam points out: “KimcilWare is coded in PHP and targets websites. There is another ransomware from this individual, called MireWare, which is the variant of Hidden Tear.”
Magento told Threatpost that it has applied all available patches to its software. “We post regular updates about potential security issues at our Security Center and encourage merchants to check there for news about any issues,” it wrote.
