Cyber security researchers they have revealed that 5% of all Adobe Commerce and Magento stores were hacked by cybercriminals exploiting a security vulnerability called CosmicSting.
Adobe Commerce and the vulnerabilities detected by cybersecurity experts
Tracked as CVE-2024-34102 (CVSS score: 9.8), the serious vulnerability concerns an improper XML external entity (XXE) reference restriction that could lead to remote code execution.
Don’t panic: the flaw, attributed to a researcher named “spacewasp“, was fixed by Adobe in June 2024.
The Dutch security company Sansec, which has described CosmicSting like the “Worst bug to hit Magento and Adobe Commerce stores in the last two years“, he said that e-commerce sites are being compromised at a rate of three to five per hour.
The vulnerability was widely exploitedprompting the United States Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024.
Some of these attacks predict the use of tools to exploit vulnerabilities to steal Magento’s secret encryption keywhich is then used to generate JSON Web Tokens (JWT) with full access to the administrative API; the self-styled cybercriminals were then observed taking advantage of Magento’s REST API to inject malicious scripts.
But what does all this mean in simple terms?
This also means that applying the latest patch alone is not enough to protect against the attack to Adobe Commerce and Magento Store, making it necessary for site owners to take steps to rotate encryption keys.
Subsequent attacks observed in August 2024 linked CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (also known as glibc), to achieve remote code execution.
“CosmicSting (CVE-2024-34102) allows arbitrary reading of files on outdated systems. When combined with CNEXT (CVE-2024-2961), cybercriminals can escalate privileges to the point of remote code execution, taking control of the entire system,” he observed Sansec.
A chain attack involving several groups of cybercriminals
The ultimate goal of the compromises is to establish persistent, confidential access to the host via GSocket and inject malicious scripts which allow the execution of malicious JavaScript code received by the attacker in order to steal the payment data entered by users on the sites.
The latest findings show that several companies, including Ray Ban, National Geographic, Cisco, Whirlpool and Segway, have fallen victim to the CosmicSting attacks, with at least seven distinct groups participating in the exploitation efforts:
- Bobry Groupwhich uses whitespace encoding to hide code that runs a payment skimmer hosted on a remote server.
- Polyovki Groupwhich uses an injection from cdnstatics.net/lib.js.
- Surki Groupwhich uses XOR encoding to hide JavaScript code.
- Burunduki Groupwhich accesses dynamic skimmer code from a WebSocket at wss://jgueurystatic[.]xyz:8101.
- Ondatry Groupwhich uses custom JavaScript loading malware to inject fake payment forms that mimic legitimate ones used by merchant sites.
- Khomyaki Groupwhich exfiltrates payment information to domains that include a 2-character URI (“rextension[.]net/za/”).
- Belki Groupwhich uses CosmicSting with CNEXT to plant backdoors and skimmer malware.
“Merchants are strongly advised to update to the latest version of Magento or Adobe Commerce,” Sansec said. “They should also rotate secret encryption keys and ensure that old keys are invalidated.”
Updating is important, but it still doesn’t enter your mind…
Updating is important, but it doesn’t come into your head yet; Many store owners tend to put off installing security updates, underestimating the resulting risks.
Although in the case of Adobe Commerce and Magento Store are the various plugins and store applications that need to be updated, It goes without saying that any delay leaves an open window for attacks, as demonstrated by recent cases.
#Adobe #Commerce #Magento #Store #cyber #attack