On Sunday, May 12, 2019, security researcher Willem de Groot tweeted, “Supply chain attack of the week: @Picreel_ marketing software got hacked last night, their 1200+ customer sites are now leaking data to an exfil server in Panama.” He later added, “And also hacked: https://CloudCMS(.)com with some 3400 sites.”
These were Magecart attacks. RiskIQ, which has made a point of tracking and profiling Magecart, has now added details. It doesn’t explain how Picreel and Cloud CMS were hacked, but it does describe what happened next. (Note that Cloud CMS has told SecurityWeek separately that it was Alpaca Forms rather than any part of Cloud CMS that was compromised.)
Magecart is the most prolific of current web-based bank card skimmers. It is neither a single group nor a specific malware; it is rather a methodology. It is believed that Magecart now comprises around a dozen different actors. Recent major Magecart attacks included Ticketmaster and British Airways in 2018, and a French ad agency and PrismRBS (which serves hundreds of campus stores in the U.S. and Canada) in 2019.
From its own telemetry, RiskIQ saw hundreds of websites loading the contaminated script, but believes that the attackers’ coding error will have saved many from harm. Picreel claims thousands of customers, and its software works with WordPress, Bigcommerce, Shopify and Cratejoy.
Cloud CMS is a headless content management system that runs on top of MongoDB, ElasticSearch and Amazon AWS. It is less popular in absolute terms than Picreel, with RiskIQ’s telemetry only being aware of a few hundred users. The script compromised by the attackers only affected version 1.5.23, and this is only used by about 20% of Cloud CMS users.
Both scripts were inserted into their targets within 6 hours on May 10, 2019, two days before de Groot issued the first public warning. The same skimmer was used in both cases, leading RiskIQ to assume the same attackers. Stolen data would have been exfiltrated to font-assets[.]com, which is associated with ww1-filecloud[.]com, another domain owned by the same attackers. “Both domains have been taken down and/or sinkholed with the help of Abuse.CH and the Shadowserver Foundation,” says RiskIQ.
Cloud CMS told SecurityWeek that it was Alpaca Forms rather than Cloud CMS that was compromised. “The security of Cloud CMS, its customers and its products has not been compromised,” it said. The confusion may have arisen because Alpaca Forms was originally developed by Cloud CMS, but was open-sourced nearly eight years ago (although Alpaca is still sponsored by Cloud CMS).
Alpaca Forms is typically downloaded from GitHub, or provided via a content delivery network (CDN) provided by Cloud CMS. The CDN version runs on Amazon Cloud Front (using an origin-backed distribution). “We discovered that a hacker compromised the aforementioned file at 11:43am GMT using a HTTPD (Apache Server) vulnerability,” wrote Michael Uzquiano, CTO at Cloud CMS, in the email sent to SecurityWeek. “They were able to inject some code at the end of the Alpaca minified file. It was very obfuscated but malicious in nature.”
Cloud CMS disabled the CDN, and then brought it back online with the correct files. Since then, Cloud CMS has switched its CDN to jsDelivr, and will end-of-life the existing CDN probably by the end of this week. “This isnít because we think thereís a security vulnerability anymore (we completely changed how the CDN was mounted, the attack vector now eliminated),” said Uzquiano. “Rather we felt it would be best going forward so as to avoid any future confusion with Cloud CMS. This is a better option for the open source community since jsDelivr is currently best of breed.”
The danger from Magecart attacks is that — unless detected by third parties like Willem de Groot or RiskIQ — they are largely invisible. Compromised scripts are downloaded and used, often automatically, without inspection by the customer website. Card details are then invisibly skimmed and exfiltrated when a visitor enters details into the online payment form — and the first real visibility can be bank fraud on the stolen card details.