Warning: Adobe Commerce and Magento Stores Facing Attack from CosmicSting Vulnerability
A report from cybersecurity experts has revealed that 5% of all Adobe Commerce and Magento stores are currently under attack by CosmicSting, a security loophole being exploited by malicious entities.
Identified as CVE-2024-34102 (CVSS score: 9.8), this vital vulnerability involves an XML external entity reference (XXE) flaw that allows for potential remote code execution. This vulnerability, discovered by a researcher known as “spacewasp,” was addressed by Adobe in June 2024.
Sansec, a Dutch security company, has labeled CosmicSting as the “most severe bug impacting Magento and Adobe Commerce platforms in the last two years,” noting that online stores are falling prey to this threat at a rate of three to five every hour.
This vulnerability has been extensively exploited, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include it in the Known Exploited Vulnerabilities (KEV) list in mid-July 2024.
Some of these breaches have involved leveraging the flaw to pilfer Magento’s confidential encryption key, using it to create JSON Web Tokens (JWTs) that grant complete administrative API access. Perpetrators have been seen exploiting the Magento REST API to embed harmful scripts.
It is crucial to note that merely installing the latest patch will not suffice to protect against the breach. Site owners must also take measures to rotate the encryption keys.
Further attacks observed in August 2024 have combined CosmicSting with CNEXT (CVE-2024-2961), an vulnerability in the iconv library of the GNU C programming library (also known as glibc), to achieve remote code execution.
“CosmicSting (CVE-2024-34102) allows unauthorized access to files on unpatched systems. By pairing it with CNEXT (CVE-2024-2961), adversaries can escalate to remote code execution and seize control of the entire system,” as outlined by Sansec.
The ultimate aim of these breaches is to establish long-lasting, undercover access to the system through GSocket technology, allowing for rogue scripts to be inserted. These scripts enable the execution of arbitrary JavaScript sent by the attacker, permitting the theft of payment details entered by users on the compromised sites.
Recent discoveries indicate that several notable organizations, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, have fallen victim to CosmicSting assaults. At least seven distinct groups have participated in these breach attempts:
- Group Bobry, leveraging whitespace encoding to hide payment skimmer code executed from a remote server
- Group Polyovki, using an injection from cdnstatics.net/lib.js
- Group Surki, employing XOR encryption to conceal JavaScript code
- Group Burunduki, fetching dynamic skimmer code from a WebSocket at wss://jgueurystatic[.]xyz:8101
- Group Ondatry, using customized JavaScript loader malware to inject counterfeit payment forms mimicking legitimate ones from merchant websites
- Group Khomyaki, exfiltrating payment data to domains with a 2-character URI (“rextension[.]net/za/”)
- Group Belki, combining CosmicSting with CNEXT to plant backdoors and skimmer malware
Sansec recommended that merchants swiftly upgrade to the most recent versions of Magento or Adobe Commerce. They should also refresh secret encryption keys and ensure that previous keys are deactivated.
About Author
