Ethical Hacking News
The devastating impact of CosmicSting: 4,275 online stores compromised by a critical vulnerability
In recent months, thousands of online stores have been targeted by cybercrime gangs exploiting a critical vulnerability known as CosmicSting. This flaw, identified by CVE-2024-34102, allows hackers to manipulate the pages of affected websites and siphon off sensitive user data, including payment card information.
According to Sansec's analysis, at least seven distinct groups are running "large scale" CosmicSting campaigns, using the flaw to obtain secret Magento keys from installations to generate tokens that grant unrestricted access to the Magento API. This allows sites to be edited and manipulated in various ways, including siphoning off sensitive user data.
This article provides an in-depth look at the CosmicSting vulnerability, its impact on online stores, and the measures that can be taken to prevent further attacks.
The CosmicSting vulnerability (CVE-2024-34102) allows hackers to manipulate online store pages and steal sensitive user data, including payment card information. At least seven cybercrime gangs are behind the ongoing heists exploiting this weakness, compromising over 4,275 merchants using Adobe Commerce and Magento software. The vulnerability can be exploited to steal not only card information but also customer login credentials and personal data. Adecco Commerce is powered by Magento, which was acquired by Adobe in 2018 for $1.68 billion, making the vulnerability a significant threat. Hackers use CosmicSting to add malicious JavaScript to checkout pages to steal customers' payment information as they type it in. The vulnerability can be combined with another flaw (CVE-2024-2961) to achieve remote code execution on a vulnerable server host, allowing for persistent access. Many affected stores have been patched by Adobe, but Sansec warns that more stores will get hacked in the coming months due to the ongoing threat.
The world of e-commerce has been dealt a devastating blow, as thousands of online stores have fallen prey to a critical vulnerability known as CosmicSting. This flaw, identified by CVE-2024-34102, allows hackers to manipulate the pages of affected websites and siphon off sensitive user data, including payment card information.
According to recent reports, at least seven cybercrime gangs are behind the ongoing heists exploiting this weakness. Over the summer months in the northern hemisphere, these nefarious groups managed to compromise a staggering 4,275 merchants that utilize Adobe Commerce and Magento software to run their online shops. This represents approximately five percent of all Adobe Commerce and Magento stores, highlighting the widespread impact of this critical vulnerability.
The CosmicSting flaw can be exploited to not only steal card information, if available, but also any other sensitive data from compromised sites' pages, such as customer login credentials and personal data. This has led to a surge in Magecart attacks, which are collectively labeled after the Magento platform on which these exploits are commonly found.
Adobe Commerce is essentially powered by Magento, which was acquired by the Photoshop giant in 2018 for an astonishing $1.68 billion. The vulnerability, CVE-2024-34102, is rated as a 9.8-out-of-10 CVSS-rated unauthenticated XXE (XML External Entity) vulnerability that can be exploited to alter webpages served by vulnerable Adobe Commerce and Magento deployments.
In the case of these aforementioned attacks, hackers use CosmicSting to add malicious JavaScript to checkout pages to steal customers' payment information as they type it in, or alter other pages to take other data. It was discovered and reported by Sergey Temnikov.
It is worth noting that CVE-2024-34102 can be optionally combined with the high-severity CVE-2024-2961 – a glibc buffer overflow that's accessible on Linux from PHP – to achieve remote code execution on a vulnerable Commerce or Magento server host. This latter flaw can be used to install a backdoor on the machine for persistent access.
Despite Adobe's prompt patching of CVE-2024-34102 on June 11, automated attacks had already begun by then, according to Sansec. The cybersecurity firm has collected different CosmicSting loaders, each associated with different infrastructure and data-stealing methods, and published a full list of attack indicators, which is worth checking out, especially if you operate an online Magento shop.
Sansec projects that more stores will get hacked in the coming months, highlighting the ongoing threat posed by this vulnerability. According to their analysis, at least seven distinct groups are running "large scale" CosmicSting campaigns, using the flaw to obtain secret Magento keys from installations to generate tokens that grant unrestricted access to the Magento API.
This allows sites to be edited and manipulated in various ways, including siphoning off sensitive user data. The first criminals to compromise a site will usually block others from moving in on their turf, but the CosmicSting vulnerability prevents this, leading to multiple groups fighting for control over the same store and evicting each other again and again.
In some cases, three different gangs were spotted squabbling over the same store. Despite these ongoing threats, it appears that many of the affected stores are taking steps to prevent further attacks. However, according to Sansec, about half of the 4,275 merchants compromised by hackers have removed the malware, but it is unclear whether they have actually cycled their keys.
If not, they will likely get reinfected within days. The likes of Ray Ban and National Geographic are among the brands whose web stores were reportedly compromised by criminals exploiting this flaw in hopes of stealing shoppers' payment card information as they order stuff online.
The sunglasses company did not answer questions about the incident, instead giving a standard statement saying that "we take security very seriously." However, according to Sansec, Ray Ban did patch its systems on October 3. National Geographic still remains infected, while the others fixed it in the last couple of weeks after notification from Sansec.
The ongoing threat posed by CosmicSting highlights the importance of keeping one's software up-to-date and taking proactive measures to protect against emerging vulnerabilities.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/04/cisco_ray_ban_whirpool_cosmicsting_hack/
https://www.msn.com/en-us/money/other/big-brands-among-thousands-infected-by-payment-card-stealing-cosmicsting-crooks/ar-AA1rFNHG
https://forums.theregister.com/forum/all/2024/10/04/cisco_ray_ban_whirpool_cosmicsting_hack/
https://www.csoonline.com/article/567335/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html
https://attack.mitre.org/groups/G0037/
https://www.reuters.com/technology/cybersecurity/apt31-chinese-hacking-group-behind-global-cyberespionage-campaign-2024-03-26/
https://www.abc.net.au/news/2024-07-11/australia-accusation-china-cyber-espionage-explained/104082308
Published: Fri Oct 4 22:20:09 2024 by llama3.2 3B Q4_K_M
