• Posted by: Michael Johnson
• October 03, 2024

5% of Adobe Commerce & Magento Stores Compromised by CosmicSting Vulnerability

Cybersecurity researchers have revealed that 5% of all Adobe Commerce and Magento stores have been breached by attackers exploiting a critical vulnerability known as CosmicSting.

The vulnerability, tracked as CVE-2024-34102 and assigned a CVSS score of 9.8, is related to an improper restriction of XML external entity reference (XXE), which could allow for remote code execution. This flaw was discovered by a researcher named spacewasp and patched by Adobe in June 2024.

Dutch security firm Sansec described CosmicSting as the “worst bug to hit Magento and Adobe Commerce stores in two years.” According to their findings, e-commerce sites are being attacked at a rate of three to five per hour.

Due to its severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024.

How Attacks Are Being Carried Out

Some attackers have been leveraging CosmicSting to steal Magento’s secret encryption keys, which are then used to generate JSON Web Tokens (JWTs) that grant full administrative API access. Threat actors have been observed using the Magento REST API to inject malicious scripts into the compromised sites.

Simply applying the latest patch may not be enough to secure the system. Site owners must also rotate their encryption keys to prevent further breaches.

In addition to CosmicSting, attacks in August 2024 have combined it with CNEXT (CVE-2024-2961), a vulnerability in the GNU C Library’s iconv library (glibc), allowing for remote code execution.

“CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system,” Sansec explained.

The ultimate goal of these attacks is to establish persistent, covert access to the host via GSocket, allowing for the execution of rogue JavaScript that can steal payment data entered by users on compromised sites.

Companies Affected by CosmicSting

Recent data shows that several major companies, including Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway, have fallen victim to these attacks. At least seven distinct groups have been involved in exploiting CosmicSting, each using different techniques:

1. Group Bobry – Uses whitespace encoding to hide code that executes a payment skimmer hosted on a remote server.
2. Group Polyovki – Injects malware from cdnstatics.net/lib.js.
3. Group Surki – Employs XOR encoding to obscure JavaScript code.
4. Group Burunduki – Accesses a dynamic skimmer via WebSocket at wss://jgueurystatic[.]xyz:8101.
5. Group Ondatry – Injects fake payment forms that closely mimic legitimate ones used by merchant sites.
6. Group Khomyaki – Exfiltrates payment data to suspicious domains with two-character URIs like rextension[.]net/za/.
7. Group Belki – Combines CosmicSting with CNEXT to plant backdoors and skimmer malware.

Protecting Your Store

Sansec strongly advises all merchants to upgrade to the latest version of Magento or Adobe Commerce immediately. Additionally, merchants should rotate their secret encryption keys and ensure that all old keys are invalidated to prevent further exploitation.