Magecart Skimmers Found on Amazon CloudFront CDN (Jun 8, 2019)
Malwarebytes researchers discovered a number of web properties on Amazon CloudFront compromised by the financially-motivated threat actors referred to by the umbrella term, “Magecart.”. Hosted JavaScirpt libraries within the Contect Delivery Network (CDN) were tampered with and injected with web skimmers. Upon analyzing the breaches, it was found that they were a continuation of a campaign from Magecart threat actors attempting to affect a large number of web properties at once. The sites identified had nothing in common other than the fact that they were all using their own custom CDN to load libraries. The victims identified in this campaign were contacted by Malwarebytes, and some have remediated the breach. Additionally, abuse reports were filed directly with Amazon.
Recommendation: Your company should have protocols in place to ensure that all cloud storage systems are properly configured and patched. Amazon S3 buckets are too often misconfigured and threat actors realize there is potential for malicious activity if the buckets are targeted. A Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups such as Magecart.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.