In the summer of 2013, cybercriminals gained access to 5% of all Adobe Commerce and Magento stores worldwide. Large international brands have fallen victim to this attack and are among the victims. The CosmicSting attack is being conducted by seven different groups that plant malicious code on the machines of their victims.
A new bug, dubbed CosmicSting (CVE-2024-34102), has attacked Magento and Adobe Commerce users in the past two years, causing the stores to crash. A Sansec analysis of its data has found that 3 to 5 hacks are occurring per hour in the stores. Merchants should implement these countermeasures as soon as possible to prevent this from happening to them.
In recent months, CosmicSting attacks have been affecting a large number of Adobe Commerce and Magento websites, with about five of every ten online stores being compromised by these attacks. A CosmicSting vulnerability (CVE-2024-32102) is a critical information exposure vulnerability that can be exploited remotely when combined with another vulnerability in glibc (CVE-2024-2961) that can lead to remote law enforcement.
A vulnerability has been found within several Adobe Commerce, Magento Open Source, and Adobe Commerce Webhooks plugins that have the potential to affect their performance. The website security association Sansec reports that over 4,275 web security breaches have been reported on the web since June 2024, affecting well-known brands like Whirlpool and Ray-Ban, among others.
There is still a threat associated with unpatched installations, leaving a large number of stores extremely vulnerable to cyber-attacks.
Almost 5% of all Magento stores were infiltrated by seven financially motivated threat operations that leveraged CosmicSting to facilitate Magento cryptographic key exfiltration and payment skimmer injections against almost 5% of the stores according to an investigation conducted by Sansec. These threat operations included Belki, Bobry, Burunduki, Khomyaki, Ondatry, and Surki. In addition to Whirlpool, Segway, and Ray-Ban being believed to have remedied the issue, other companies have been urged to upgrade their Adobe Commerce and Magento implementations in the wake of the threat of the attacker escalating the attack.
"In a report released by Sansec, the company predicts that more stores will be hacked in the coming months since its report reveals that 75% of Adobe Commerce and Magento install bases have not been patched since automated scanning of secret encryption keys began in 2012."
In the short period since the flaw was discovered, it has become widely exploited by hackers, leading the U.S. Homeland Security Department (HSD) to add it to its list of Known Exploited Vulnerabilities (KEVs) in mid-July 2024, making it the fifth detection of the flaw since it was uncovered.
The extent to which these attacks can be weaponized is that they tend to steal Magento's secret encryption key, which can then be used to generate JSON Web Tokens (JWTs) with full access to the Magento administrative API. To inject the malware into Magento, the threat actors have been observed taking advantage of the REST API available through Magento.
The latest fix alone will not be sufficient to protect against an attack made using the latest exploit, so site owners are advised to take steps to rotate their encryption keys as an ongoing security measure.
Further advances in CosmicSting were observed in August 2024, however, with the addition of CNEXT (CVE-2024-2961), a vulnerability within the icons library of the GNU C library (aka glibc), the attacker was able to achieve remote code execution by chaining these two vulnerabilities together.
It was found that along with CNEXT (CVE-2024-2961), the CVE-2024-34102 vulnerability allows arbitrary file reading to occur on servers that are not patched. When combined, threat actors are capable of escalating to remote code execution, which can lead to an attack on the entire system.
As a result of these compromises, the attackers aim to establish persistent, covert access to the computer, which is facilitated by GSocket, and insert rogue scripts that allow third parties to execute arbitrary JavaScripts in an attempt to steal payment data entered by users on the site.
The announcement of CosmicSting, as predicted by Sansec, was accompanied by few technical details and an urgent email warning of the need to apply security updates as soon as possible - ushering in one of the biggest threats to the e-commerce ecosystem in recent years. According to the researchers, seven different threat groups use CosmicSting to compromise unpatched sites, namely, the "Bobry" group, "Polyovki" group, "Surki group," "Burunduki group," "Ondatry group," "Khomyaki group," and "Belki group." It is generally considered that these groups are financially motivated opportunists, breaking into the websites to steal credit card and customer information.
As of 2022, Ondatry used the "TrojanOrder" flaw but has now switched to CosmicSting, which shows how some threat actors specialize in a specific area and continue to look for opportunities in easily exploitable critical vulnerabilities to stay ahead of the curve.
Some threat actors are exploiting CosmicSting to steal Magento cryptographic keys, retrieve payment and billing information from the order checkout pages on Magento, and even battle each other for control of vulnerable Magento sites by injecting payment skimmers.
This type of malicious script has the capability of injecting malicious scripts into compromised sites from domains that are named so that they appear to be well-known JavaScript libraries or analytics applications. To make the attackers appear to be the jQuery plugin, the Burundi hackers use the domain 'jgueurystatic[.]xyz' to represent jQuery.
The Polyovki threat actors use the cdnstatics.net domain to make it appear as if they are running scripts to gather information about websites, such as was shown in the compromise of Ray-Ban's webpage.
During the 2024 ComicSting mass hack, the culprits were a combination of unaware merchants and complicated mitigation mechanisms that were not properly addressed. Merchants can protect their online stores from attacks like the ComicSting exploit through proactive server-side malware detection and vulnerability monitoring tools such as Sansec’s eComscan.
These solutions provide continuous monitoring for potential threats and unauthorized activities, helping to safeguard eCommerce platforms. Sansec has confirmed that none of its clients have been impacted by the CosmicSting exploit, highlighting the effectiveness of these preventative measures.
Despite this, Sansec has issued a warning that the number of compromised stores is likely to rise in the coming months.
The company estimates that around 75% of Adobe Commerce and Magento installations were not updated with critical patches when automated scans for secret encryption keys began. This widespread lack of security patches leaves many stores vulnerable to future attacks.