Ethical Hacking News
Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting. This critical flaw, which allows arbitrary file reading on unpatched systems, has resulted in widespread attacks across the globe, with at least seven distinct groups identified as partaking in these exploitation efforts. In light of these findings, it is essential for Magento and Adobe Commerce store owners to take immediate action to protect their systems against this devastating vulnerability.
Malicious actors have exploited the CosmicSting security vulnerability (CVE-2024-34102) in Magento and Adobe Commerce stores. The vulnerability allows for remote code execution, enabling attackers to steal payment data and inject malicious scripts. Seven distinct groups have been identified as exploiting the vulnerability for various purposes, including stealing payment information. CosmicSting has been combined with another vulnerability (CVE-2024-2961) to achieve remote code execution and escalate to full system access. Site owners are advised to rotate their encryption keys, keep up-to-date with security patches, and take proactive measures to protect their systems.
Adobe Commerce and Magento stores are currently under attack from malicious actors who have discovered a devastating security vulnerability dubbed CosmicSting. This critical flaw, tracked as CVE-2024-34102 (CVSS score: 9.8), relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution.
The shortcoming was patched by Adobe in June 2024, but the vulnerability has since come under widespread exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024. Dutch security firm Sansec, which described CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," stated that e-commerce sites are being compromised at a rate of three to five per hour.
The threat actors have been observed using the flaw to steal Magento's secret encryption key, which is then used to generate JSON Web Tokens (JWTs) with full administrative API access. This allows them to inject malicious scripts into the Magento REST API, enabling the execution of arbitrary JavaScript received from the attacker in order to steal payment data entered by users on the sites.
Furthermore, subsequent attacks observed in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (aka glibc), to achieve remote code execution. This combination of vulnerabilities allows threat actors to escalate to full system access, thereby taking over the entire system.
"CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system," Sansec noted.
The end goal of these compromises is to establish persistent, covert access on the host via GSocket and insert rogue scripts that allow for the execution of arbitrary JavaScript received from the attacker in order to steal payment data entered by users on the sites. Several companies have fallen victim to CosmicSting attacks, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway.
At least seven distinct groups have been identified as partaking in these exploitation efforts - Group Bobry, which uses whitespace encoding to hide code that executes a payment skimmer hosted on a remote server; Group Polyovki, which uses an injection from cdnstatics.net/lib.js; Group Surki, which uses XOR encoding to conceal JavaScript code; Group Burunduki, which accesses a dynamic skimmer code from a WebSocket at wss://jgueurystatic[.]xyz:8101; Group Ondatry, which uses custom JavaScript loader malware to inject bogus payment forms that mimic the legitimate ones used by the merchant sites; Group Khomyaki, which exfiltrates payment information to domains that include a 2-character URI ("rextension[.]net/za"); and Group Belki, which uses CosmicSting with CNEXT to plant backdoors and skimmer malware.
In light of these findings, it is essential for Magento and Adobe Commerce store owners to take immediate action. This includes rotating their encryption keys, as simply applying the latest fix alone is insufficient to secure against the attack. Furthermore, site owners must ensure that they are keeping up-to-date with security patches and taking proactive measures to protect their systems.
In conclusion, the CosmicSting vulnerability has highlighted a critical flaw in the Magento and Adobe Commerce ecosystems. It is imperative that individuals and organizations take swift action to mitigate this risk and prevent further exploitation.
Related Information:
https://thehackernews.com/2024/10/alert-adobe-commerce-and-magento-stores.html
https://sansec.io/research/cosmicsting-fallout
https://nvd.nist.gov/vuln/detail/CVE-2024-34102
https://www.cvedetails.com/cve/CVE-2024-34102/
https://nvd.nist.gov/vuln/detail/CVE-2024-2961
https://www.cvedetails.com/cve/CVE-2024-2961/
Published: Wed Oct 2 09:06:31 2024 by llama3.2 3B Q4_K_M
