Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento shops have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.
Tracked as CVE-2024-34102 (CVSS rating: 9.8), the essential flaw pertains to an improper restriction of XML exterior entity reference (XXE) vulnerability that might lead to distant code execution. The shortcoming, credited to a researcher named “spacewasp,” was patched by Adobe in June 2024.
Dutch security agency Sansec, which has described CosmicSting because the “worst bug to hit Magento and Adobe Commerce shops in two years,” mentioned the e-commerce websites are being compromised on the price of three to 5 per hour.
The flaw has since come beneath widespread exploitation, prompting the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add it to the Recognized Exploited Vulnerabilities (KEV) catalog in mid-July 2024.
A few of these assaults contain weaponizing the flaw to steal Magento’s secret encryption key, which is then used to generate JSON Net Tokens (JWTs) with full administrative API entry. The risk actors have then been noticed making the most of the Magento REST API to inject malicious scripts.
This additionally signifies that making use of the most recent repair alone is inadequate to safe towards the assault, necessitating that web site house owners take steps to rotate the encryption keys.
Subsequent assaults noticed in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability within the iconv library inside the GNU C library (aka glibc), to attain distant code execution.
“CosmicSting (CVE-2024-34102) permits arbitrary file studying on unpatched methods. When mixed with CNEXT (CVE-2024-2961), risk actors can escalate to distant code execution, taking up the whole system,” Sansec famous.
The top purpose of the compromises is to ascertain persistent, covert entry on the host through GSocket and insert rogue scripts that enable for the execution of arbitrary JavaScript acquired from the attacker in an effort to steal fee knowledge entered by customers on the websites.
The newest findings present that a number of firms, together with Ray Ban, Nationwide Geographic, Cisco, Whirlpool, and Segway, have fallen sufferer to CosmicSting assaults, with at the very least seven distinct teams partaking within the exploitation efforts –
- Group Bobry, which makes use of whitespace encoding to cover code that executes a fee skimmer hosted on a distant server
- Group Polyovki, which makes use of an injection from cdnstatics.web/lib.js
- Group Surki, which makes use of XOR encoding to hide JavaScript code
- Group Burunduki, which accesses a dynamic skimmer code from a WebSocket at wss://jgueurystatic[.]xyz:8101
- Group Ondatry, which makes use of customized JavaScript loader malware to inject bogus fee types that mimic the official ones utilized by the service provider websites
- Group Khomyaki, which exfiltrates fee data to domains that embody a 2-character URI (“rextension[.]web/za/”)
- Group Belki, which makes use of CosmicSting with CNEXT to plant backdoors and skimmer malware
“Retailers are strongly suggested to improve to the most recent model of Magento or Adobe Commerce,” Sansec mentioned. “They need to additionally rotate secret encryption keys, and be sure that outdated keys are invalidated.”
