Gang wielding ColdFusion exploits expands botnet of hacked e-commerce sites

A German website of French automaker Citro?«n is the latest of the wide array of higher-profile webshop sites that have been compromised by a hacker gang leveraging Adobe ColdFusion vulnerabilities.

According to The Guardian, the website in question – shop.citroen.de – is a site for buying Citro?«n-themed gifts, and was run by third-party web design company anyMotion.

The hackers have managed to compromise it and install a backdoor that would give them continuous access to the server on which it was hosted, and the user information it contained.

anyMotion has apparently closed the backdoor and is working on establishing whether the server has been otherwise compromised. It is still unknown what data has been stolen, but Citro?«n has been urging its German customers to check their bank balances for suspicious transactions, which seems to indicate that payment card data was probably snatched.

The company also reset user and site admin passwords, so it’s likely that information was also compromised.

“This report makes two very important points to running a business on the Internet,” commented Lancope CTO Tim Keanini. “The first is that staying up to date on currently exploited vulnerabilities may be just enough margin of time to remediate before your next in line. If you know on Monday that version 123 of application ABC is being exploited, and by Tuesday you have upgraded or mitigated the vulnerability, you pull yourself out of the target space. You can rest assure that these guys are hunting down more victims on the Internet that match this victim’s criteria. It is not over yet.

“The second is the fact that ‘security is everyone’s responsibility’. Just because you outsource some function of the company does not make security their problem and no longer your problem. In fact, you should go through the entire list of partners you have and ask yourself, if any of these business functions were exploited, what would that do to the continuity of my business. Now is the time to surface these dependencies, not after they are breached,” he concluded.

According to Brian Krebs, previous targets of this same gang include jam and jelly maker Smucker’s and credit card processing firm Securepay, a string of US data brokers, PR Newswire, Adobe and, lastly, Citro?«n, two US companies selling lighting products in their online stores, and LaCie, a Seagate-owned hardware company.

“The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores,” he noted.

The two companies in question are Elightbulbs.com and Kichlerlightinglights.com, both of whom ultimately decided to outsource the credit card processing to a third party in order to prevent being responsible for payment card data compromises in the future.

As it happens, Elightbulbs.com has even hired a security compliance firm to test the site and servers for security cracks just before the breach was executed, and the firm missed the ColdFusion flaws misused by the attackers.

Don't miss