CosmicSting Vulnerability Targets Adobe Commerce and Magento
  • By Shiva
  • Last updated: October 9, 2024

Devastating CosmicSting Vulnerability Targets Adobe Commerce and Magento Stores 2024

CosmicSting: A Critical Threat to Adobe Commerce and Magento Stores

The e-commerce landscape has been rocked by a recent wave of cyberattacks targeting Adobe Commerce and Magento stores. Dubbed CosmicSting, this vulnerability has compromised 5% of all stores by exploiting a security flaw (CVE-2024-34102) that allows hackers to execute remote code. The situation has become so severe that cybersecurity experts have deemed it the “worst bug to hit Magento and Adobe Commerce stores in two years.” This article delves into the threat posed by CosmicSting, its technical implications, and the steps merchants must take to protect their e-commerce platforms.

Understanding the CosmicSting Vulnerability

CosmicSting, tracked as CVE-2024-34102, is an XML external entity (XXE) vulnerability with a CVSS score of 9.8, indicating its critical severity. Discovered by a researcher known as “spacewasp,” the flaw allows unauthorized actors to gain access to sensitive files and potentially achieve remote code execution. The vulnerability has been actively exploited since mid-July 2024, shortly after being patched by Adobe in June 2024. Despite the patch, attackers have continued to find ways to exploit unpatched systems.

Understanding the CosmicSting Vulnerability

The Widespread Exploitation of CosmicSting

According to Sansec, a Dutch security firm specializing in e-commerce protection, the number of compromised stores has surged dramatically, with sites being attacked at a rate of three to five per hour. This vulnerability gained further attention when it was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in July 2024. Hackers have leveraged CosmicSting to steal Magento’s secret encryption keys, enabling them to generate JSON Web Tokens (JWTs) and gain full administrative access via the Magento REST API.

Attack Chains Involving CNEXT

In some cases, attackers have combined CosmicSting with another vulnerability known as CNEXT (CVE-2024-2961), found in the iconv library within the GNU C library (glibc). This combination allows hackers to escalate privileges to remote code execution, potentially taking over entire systems. The risk associated with this attack chain is exceptionally high, as it enables malicious actors to establish persistent backdoors and execute arbitrary JavaScript to steal payment data from compromised websites.

Groups Behind the Attacks

Several distinct hacker groups have been identified as partaking in CosmicSting exploitation efforts, each using unique methods to hide malicious code and evade detection. The following are some of the groups involved:

  1. Group Bobry: Uses whitespace encoding to hide a payment skimmer hosted on a remote server.
  2. Group Polyovki: Injects malicious code from cdnstatics.net/lib.js to steal payment data.
  3. Group Surki: Conceals JavaScript code using XOR encoding techniques.
  4. Group Burunduki: Fetches dynamic skimmer code via a WebSocket at wss://jgueurystatic[.]xyz:8101.
  5. Group Ondatry: Utilizes custom JavaScript loaders to inject fake payment forms resembling legitimate ones.
  6. Group Khomyaki: Sends stolen payment information to domains using 2-character URIs, such as rextension[.]net/za/.
  7. Group Belki: Combines CosmicSting and CNEXT to plant backdoors and skimmer malware.

These groups have shown remarkable sophistication in exploiting CosmicSting, targeting prominent brands such as Ray Ban, National Geographic, Cisco, Whirlpool, and Segway.

Technical Analysis of CosmicSting and CNEXT

CosmicSting’s primary weakness lies in its ability to read arbitrary files on unpatched systems. By exploiting this flaw, attackers can gain access to sensitive information that allows them to execute malicious commands. When chained with CNEXT, which leverages a flaw in the iconv library, the attack escalates to full system compromise. The combination of these vulnerabilities creates a powerful tool for hackers to infiltrate e-commerce sites and exfiltrate sensitive payment data.

Why Patching Alone Isn’t Enough

While Adobe released a patch for CosmicSting in June 2024, simply applying the update is not sufficient. Cybersecurity experts warn that merchants need to take additional precautions, such as rotating secret encryption keys. Failure to rotate these keys could leave stores vulnerable to further attacks, as compromised keys could still be used to generate JWTs for unauthorized access.

Mitigation Steps for E-Commerce Site Owners

For businesses running Adobe Commerce or Magento, mitigating the risk posed by CosmicSting requires a multi-layered approach:

  1. Upgrade to the Latest Software Version: Ensure that the latest patches and security updates are applied. Regularly check for updates to stay protected against newly discovered vulnerabilities.
  2. Rotate Secret Encryption Keys: After patching the system, rotate encryption keys to invalidate old keys that may have been compromised.
  3. Conduct Regular Security Audits: Periodically review system logs and monitor for suspicious activities, such as unauthorized access attempts or changes to sensitive files.
  4. Implement Web Application Firewalls (WAFs): Use WAFs to block malicious traffic and detect attack patterns targeting known vulnerabilities.
  5. Educate Staff on Security Best Practices: Ensure that staff responsible for website maintenance are aware of potential risks and understand how to respond to security incidents.

The Larger Implications of CosmicSting

The CosmicSting vulnerability highlights the ever-evolving nature of cybersecurity threats. As e-commerce continues to grow, so does the attack surface for cybercriminals seeking to exploit vulnerabilities in widely used platforms. The impact on businesses can be devastating, with compromised customer data leading to loss of trust, financial penalties, and legal ramifications.

Final Thoughts: Stay Vigilant, Stay Updated

As the cyber threat landscape evolves, e-commerce site owners must remain vigilant in updating their systems and implementing robust security measures. The CosmicSting vulnerability serves as a stark reminder of the importance of proactive cybersecurity practices. Keeping software up-to-date, rotating encryption keys, and adopting a multi-layered defense strategy can help mitigate the risk of exploitation.

Stay informed about the latest cybersecurity threats. Subscribe to our newsletter for updates on vulnerabilities, security patches, and best practices for e-commerce site security.

FAQ

In this section, we have answered your frequently asked questions to provide you with the necessary guidance.

  • What is the CosmicSting vulnerability?

    CosmicSting, also known as CVE-2024-34102, is a critical security flaw affecting Adobe Commerce and Magento stores. It involves an XML external entity (XXE) vulnerability that allows unauthorized access to sensitive files and potentially enables remote code execution. The flaw has a CVSS score of 9.8, indicating its high severity.

  • How are attackers exploiting the CosmicSting vulnerability?

    Attackers exploit CosmicSting by reading arbitrary files on unpatched systems and stealing Magento’s secret encryption keys. These keys can then be used to generate JSON Web Tokens (JWTs) with full administrative access. In some cases, hackers chain CosmicSting with another vulnerability (CNEXT) to escalate privileges and execute remote code on the server.

  • What steps can e-commerce site owners take to protect against CosmicSting?

    To mitigate the risk of CosmicSting, site owners should:

    • Apply the latest security patches from Adobe.
    • Rotate secret encryption keys after updating.
    • Use web application firewalls (WAFs) to block malicious traffic.
    • Regularly conduct security audits to identify suspicious activities.
    • Educate staff on cybersecurity best practices.

  • Who is affected by the CosmicSting vulnerability?

    Any e-commerce business running Adobe Commerce or Magento may be affected, especially if they haven’t applied the necessary patches or rotated encryption keys. Notable companies such as Ray Ban, National Geographic, Cisco, and Segway have already experienced breaches linked to CosmicSting.

  • Is applying the latest patch enough to secure my store?

    While applying the patch is a crucial step, it is not sufficient on its own. Additional measures, such as rotating secret encryption keys and conducting ongoing security monitoring, are needed to ensure comprehensive protection against CosmicSting and related threats.