Our security researchers have recently uncovered an ongoing hacking campaign that aims to infect thousands of OpenCart sites by sending an email about OpenCart Database Hacked and steal sensitive information of the users. The ongoing campaign leverages SQLi vulnerabilities present in OpenCart modules as well as the unpatched extensions installed on that site to ultimately exploit the vulnerability and steal the customer databases.
In this campaign, the threat actors are also sending emails to the site owners informing them about their database being hacked and also offering services to fix those vulnerabilities.
Our research team led by Ananda has been monitoring this campaign since early August – that compromised many e-commerce sites running on the OpenCart platform. But, this week we’ve seen a surge in this campaign activity, and also OpenCart site owners complaining about their databases are being hacked.
How do hackers get access to your OpenCart database?
During the analysis of this ongoing campaign, our researchers observed that the attackers are using SQLmap tool to identify the security issues and wrong configurations present in the e-commerce platforms.
SQLmap is an automated vulnerability scanning tool that identifies input parameters and tries to inject queries in the input fields. Although this tool is useful for testers and security experts to know weak points in the system and patch them, attackers are actively using them in a different fashion.
Vulnerability Exploited: SQL Injection Vulnerability in PreOrder by iSenseLab module
Since it is an SQLi in an OpenCart site, our researchers thought this could also impact the site’s theme or some module that is vulnerable. After further investigation, it was found that the widely used OpenCart extension PreOrder by iSenseLab had a vulnerability that was exploited by the hacker to get unauthorized access to the site’s database.
The Pre-Order module allows your users to order products currently out of stock by replacing the Add-To-Cart button with Pre-Order. The module enables your customers to easily use the pre-order functionality of OpenCart and be aware they are pre-ordering the specific product.
The hackers are exploiting the older versions of the PreOrder extension that had no validation implemented for the public function
. This caused SQLi issues for the sites.
Our researchers were able to find SQLi vulnerability in version 2.9.3 of the PreOrder module. There’s a possibility that the earlier versions of this module are also vulnerable to SQLi (we haven’t verified earlier versions). It is advised that you should update the plugin to its latest version 2.9.6 – OpenCart 2.0.x to 2.3.x which we verified and found not to be vulnerable
Email sent by the hacker to one of the OpenCart site owners:
After successfully exploiting this vulnerability, the hackers are obtaining the database of the site and sending an email to the victim claiming that they’ve hacked their website and also attaching the stolen databases’ screenshots as a proof.
I found a vulnerability on your website and this vulnerability allows me easily access your database.
- If vulnerability is ignored:
The contents of your database are very easy for hackers to know.
. Your website will be planted with backdoor scripts by hackers, so hackers can enter at any time without having to go through the login page.
Client and admin data from your website will be stolen, changed, and deleted by hacker.
Client data can be misused, because usually clients use the same password on other accounts or websites.
If your client knows, chances are your client will not visit your website because they feel unsafe filling out forms or transacting on your website.
I will help you fix. By sending a report in the form of a 15-17 page document,
depending on the vulnerability on your website.
- The report I will send is about:
1. location of vulnerability
2. how to fix it
3. how to prevent vulnerability
4. How to Strengthen Website Security.
Are you interested?
I attach the results of the vulnerability that I found, that is, the contents
of your database which are very easy to know.
Detection and Mitigation
This hacking campaign targets OpenCart sites and modules that are internet-facing. To check if your site/store has been infected, Astra Security provides an application firewall and security audit to detect the infections/hacking attempt and also provides recommendations to fix those infections including the blocking of the automated tool SQLmap so that your site stays secure against such hacking attempts.
Also, It is highly recommended to not expose database servers to the internet. Instead, they need to be accessible to specific users within the organization through segmentation and whitelist access policies. We recommend enabling logging in order to monitor and alert on suspicious, unexpected, or recurring login attempts (this is included in Astra Security’ Firewall offering).
It is also advised to regularly update the extensions/modules, themes, plugins installed on your site with the latest version. This will make sure such vulnerabilities are patched in those extensions and your site is more secure.