Cyber security researchers have opened that 5% of all Adobe Commerce and Magento stores were compromised by attackers using a security vulnerability called CosmicSting.
Tracked as CVE-2024-34102 (CVSS score: 9.8), art a critical flaw refers to an improperly bounded XML External Object (XXE) reference vulnerability that could lead to remote code execution. A flaw credited to a researcher named “space wasp,” was patched by Adobe in June 2024.
Dutch security firm Sansec, which has described CosmicSting called it “the worst bug to hit Magento and Adobe Commerce stores in the last two years.”
The shortage has since appeared extensive exploitationprompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to the list of known exploitable vulnerabilities (KEV) in mid-July 2024.
Some of these attacks to attract exploiting a flaw in the weapon to steal Magento’s private encryption key, which is then used to generate JSON Web Tokens (JWT) with full administrative access to the API. It was then observed that threat actors are taking advantage of the Magento REST API to implement malicious scripts.
It also means that applying the latest patch is not enough to protect against the attack, so site owners must take steps to turn the encryption keys.
Subsequent attacks observed in August 2024 chained CosmicSting to CNEXT (CVE-2024-2961), a vulnerability in the iconv library in the GNU C library (aka glibc), to achieve remote code execution.
“CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors could advance to remote code execution, taking over the entire system.” — Sansek noted.
The ultimate goal of the compromises is to establish permanent stealth access to the host via GSocket and insert fake scripts that allow the execution of arbitrary JavaScript obtained from the attacker to steal payment data entered by users on websites.
Recent findings show that several companies, including Ray Ban, National Geographic, Cisco, Whirlpool and Segway, have fallen victim to CosmicSting attacks, with at least seven separate groups involved in the exploitation effort –
- Beaver groupwhich uses coding spaces to hide code that executes a payment skimmer located on a remote server
- The Polevyka groupwhich uses injection from cdnstatics.net/lib.js
- Groundhog groupwhich uses XOR encoding to hide JavaScript code
- Chipmunks groupwhich accesses the dynamic skimmer code from a WebSocket at wss://jgueurystatic(.)xyz:8101
- Ondatry groupthat uses JavaScript download malware to inject fake payment forms that mimic legitimate forms used on merchant sites
- Hamster groupwhich issues payment information to domains that include a 2-digit URI (“rextension(.)net/za/”)
- Group Maybewhich uses CosmicSting from CNEXT to install backdoors and a malware skimmer
“Sellers are strongly encouraged to upgrade to the latest version of Magento or Adobe Commerce,” Sansek said. “They must also change the encryption secrets and make sure that the old keys are invalidated.”
