CosmicSting: A Critical Threat to Adobe Commerce and Magento Stores
The e-commerce landscape has been rocked by a recent wave of cyberattacks targeting Adobe Commerce and Magento stores. Dubbed CosmicSting, this vulnerability has compromised 5% of all stores by exploiting a security flaw (CVE-2024-34102) that allows hackers to execute remote code. The situation has become so severe that cybersecurity experts have deemed it the “worst bug to hit Magento and Adobe Commerce stores in two years.” This article delves into the threat posed by CosmicSting, its technical implications, and the steps merchants must take to protect their e-commerce platforms.
Understanding the CosmicSting Vulnerability
CosmicSting, tracked as CVE-2024-34102, is an XML external entity (XXE) vulnerability with a CVSS score of 9.8, indicating its critical severity. Discovered by a researcher known as “spacewasp,” the flaw allows unauthorized actors to gain access to sensitive files and potentially achieve remote code execution. The vulnerability has been actively exploited since mid-July 2024, shortly after being patched by Adobe in June 2024. Despite the patch, attackers have continued to find ways to exploit unpatched systems.
The Widespread Exploitation of CosmicSting
According to Sansec, a Dutch security firm specializing in e-commerce protection, the number of compromised stores has surged dramatically, with sites being attacked at a rate of three to five per hour. This vulnerability gained further attention when it was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in July 2024. Hackers have leveraged CosmicSting to steal Magento’s secret encryption keys, enabling them to generate JSON Web Tokens (JWTs) and gain full administrative access via the Magento REST API.
Attack Chains Involving CNEXT
In some cases, attackers have combined CosmicSting with another vulnerability known as CNEXT (CVE-2024-2961), found in the iconv library within the GNU C library (glibc). This combination allows hackers to escalate privileges to remote code execution, potentially taking over entire systems. The risk associated with this attack chain is exceptionally high, as it enables malicious actors to establish persistent backdoors and execute arbitrary JavaScript to steal payment data from compromised websites.
Groups Behind the Attacks
Several distinct hacker groups have been identified as partaking in CosmicSting exploitation efforts, each using unique methods to hide malicious code and evade detection. The following are some of the groups involved:
- Group Bobry: Uses whitespace encoding to hide a payment skimmer hosted on a remote server.
- Group Polyovki: Injects malicious code from cdnstatics.net/lib.js to steal payment data.
- Group Surki: Conceals JavaScript code using XOR encoding techniques.
- Group Burunduki: Fetches dynamic skimmer code via a WebSocket at wss://jgueurystatic[.]xyz:8101.
- Group Ondatry: Utilizes custom JavaScript loaders to inject fake payment forms resembling legitimate ones.
- Group Khomyaki: Sends stolen payment information to domains using 2-character URIs, such as rextension[.]net/za/.
- Group Belki: Combines CosmicSting and CNEXT to plant backdoors and skimmer malware.
These groups have shown remarkable sophistication in exploiting CosmicSting, targeting prominent brands such as Ray Ban, National Geographic, Cisco, Whirlpool, and Segway.
Technical Analysis of CosmicSting and CNEXT
CosmicSting’s primary weakness lies in its ability to read arbitrary files on unpatched systems. By exploiting this flaw, attackers can gain access to sensitive information that allows them to execute malicious commands. When chained with CNEXT, which leverages a flaw in the iconv library, the attack escalates to full system compromise. The combination of these vulnerabilities creates a powerful tool for hackers to infiltrate e-commerce sites and exfiltrate sensitive payment data.
Why Patching Alone Isn’t Enough
While Adobe released a patch for CosmicSting in June 2024, simply applying the update is not sufficient. Cybersecurity experts warn that merchants need to take additional precautions, such as rotating secret encryption keys. Failure to rotate these keys could leave stores vulnerable to further attacks, as compromised keys could still be used to generate JWTs for unauthorized access.
Mitigation Steps for E-Commerce Site Owners
For businesses running Adobe Commerce or Magento, mitigating the risk posed by CosmicSting requires a multi-layered approach:
- Upgrade to the Latest Software Version: Ensure that the latest patches and security updates are applied. Regularly check for updates to stay protected against newly discovered vulnerabilities.
- Rotate Secret Encryption Keys: After patching the system, rotate encryption keys to invalidate old keys that may have been compromised.
- Conduct Regular Security Audits: Periodically review system logs and monitor for suspicious activities, such as unauthorized access attempts or changes to sensitive files.
- Implement Web Application Firewalls (WAFs): Use WAFs to block malicious traffic and detect attack patterns targeting known vulnerabilities.
- Educate Staff on Security Best Practices: Ensure that staff responsible for website maintenance are aware of potential risks and understand how to respond to security incidents.
The Larger Implications of CosmicSting
The CosmicSting vulnerability highlights the ever-evolving nature of cybersecurity threats. As e-commerce continues to grow, so does the attack surface for cybercriminals seeking to exploit vulnerabilities in widely used platforms. The impact on businesses can be devastating, with compromised customer data leading to loss of trust, financial penalties, and legal ramifications.
Final Thoughts: Stay Vigilant, Stay Updated
As the cyber threat landscape evolves, e-commerce site owners must remain vigilant in updating their systems and implementing robust security measures. The CosmicSting vulnerability serves as a stark reminder of the importance of proactive cybersecurity practices. Keeping software up-to-date, rotating encryption keys, and adopting a multi-layered defense strategy can help mitigate the risk of exploitation.
Stay informed about the latest cybersecurity threats. Subscribe to our newsletter for updates on vulnerabilities, security patches, and best practices for e-commerce site security.