Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.
Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming, credited to a researcher named "spacewasp," was patched by Adobe in June 2024.
Dutch security firm Sansec, which has described CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," said the e-commerce sites are being compromised at the rate of three to five per hour.
The flaw has since come under widespread exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024.
Some of these attacks involve weaponizing the flaw to steal Magento's secret encryption key, which is then used to generate JSON Web Tokens (JWTs) with full administrative API access. The threat actors have then been observed taking advantage of the Magento REST API to inject malicious scripts.
This also means that applying the latest fix alone is insufficient to secure against the attack, necessitating that site owners take steps to rotate the encryption keys.
Subsequent attacks observed in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (aka glibc), to achieve remote code execution.
"CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system," Sansec noted.
The end goal of the compromises is to establish persistent, covert access on the host via GSocket and insert rogue scripts that allow for the execution of arbitrary JavaScript received from the attacker in order to steal payment data entered by users on the sites.
The latest findings show that several companies, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, have fallen victim to CosmicSting attacks, with at least seven distinct groups partaking in the exploitation efforts -
- Group Bobry, which uses whitespace encoding to hide code that executes a payment skimmer hosted on a remote server
- Group Polyovki, which uses an injection from cdnstatics.net/lib.js
- Group Surki, which uses XOR encoding to conceal JavaScript code
- Group Burunduki, which accesses a dynamic skimmer code from a WebSocket at wss://jgueurystatic[.]xyz:8101
- Group Ondatry, which uses custom JavaScript loader malware to inject bogus payment forms that mimic the legitimate ones used by the merchant sites
- Group Khomyaki, which exfiltrates payment information to domains that include a 2-character URI ("rextension[.]net/za/")
- Group Belki, which uses CosmicSting with CNEXT to plant backdoors and skimmer malware
"Merchants are strongly advised to upgrade to the latest version of Magento or Adobe Commerce," Sansec said. "They should also rotate secret encryption keys, and ensure that old keys are invalidated."