Analysis Summary

Researchers have shown that bad actors have taken advantage of a vulnerability known as CosmicSting to compromise 5% of all Adobe Commerce and Magento stores.

The significant vulnerability, which is being tracked as CVE-2024-34102 (CVSS score: 9.8), is related to an inappropriate restriction of XML external entity reference (XXE) vulnerability, which may allow remote code execution. The flaw was fixed by Adobe in June 2024. According to the researchers, e-commerce sites are being penetrated at a pace of three to five per hour, and CosmicSting is the worst flaw to affect Magento and Adobe Commerce stores in the last two years.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to the Known Exploited Vulnerabilities (KEV) database in mid-July 2024 because of extensive exploitation of the bug since then. Utilizing the vulnerability as a weapon, some of these attacks produce JSON Web Tokens (JWTs) with complete administrative API access by stealing Magento's secret encryption key. Then, it has been noted that the threat actors are using the Magento REST API to inject malicious code.

This implies that site owners must rotate the encryption keys because simply applying the most recent patch won't protect against the attack. Attacks that were noticed again in August 2024 used CosmicSting in conjunction with CNEXT (CVE-2024-2961), a flaw in the GNU C library, also known as glibc's iconv library, to accomplish remote code execution. On unpatched systems, CosmicSting (CVE-2024-34102) permits arbitrary file reading. Threat actors can escalate to remote code execution and take over the entire system when paired with CNEXT (CVE-2024-2961).

The ultimate objective of the infiltration is to exploit GSocket to gain persistent, hidden access to the host and introduce rogue scripts that enable the execution of any JavaScript that the attacker receives to collect payment information that users enter on the websites. According to the most recent research, CosmicSting attacks have affected several businesses, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway. At least seven different groups have participated in the exploitation operations, as follows:

• Group Bobry, which conceals code that runs a payment skimmer hosted on a distant server using whitespace encoding
• Group Polyovki, which makes use of a cdnstatics.net/lib.js injection
• Group Surki, which hides JavaScript code using XOR encoding
• Group Burunduki uses a WebSocket to access a dynamic skimmer code
• Group Ondatry inserts fake payment forms that resemble the real ones that merchant websites use by leveraging a proprietary JavaScript loader malware
• Group Khomyaki exfiltrates payment details to domains with a 2-character URI
• Group Belki, which installs skimmer malware and backdoors via CNEXT and CosmicSting

Upgrading to the most recent version of Adobe Commerce or Magento is highly recommended for merchants. Along with making ensuring that outdated keys are invalidated, they should also rotate secret encryption keys.

Impact

• Remote Code Execution
• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• advertiq.shop
• bingforce.org
• cdnstatics.net
• datagen.shop
• easttrack.net
• feedbackharvest.com
• gearplace.net
• happyllfe.online
• infiniboosts.com
• javaninja.shop
• luckipath.shop
• marketexpert.site
• novastraem.com
• pixelia.shop
• quantlive.net
• radlantroots.com
• saleapi.org
• techtnee.com
• vodog.shop
• wealthleaderinc.com
• yotpont.com

Affected Vendors

Remediation

• Refer to Adobe Security Advisory for patch, upgrade, or suggested workaround information.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.