Adobe Commerce (formerly known as Magento) is a robust e-commerce platform owned by Adobe that provides flexible and scalable solutions for both B2B and B2C businesses.
It offers features like “advanced customization,” “integrated analytics,” and “cloud-based hosting” via “Adobe Commerce Cloud.”
Sansec research analysts recently discovered that threat actors have been actively exploiting CosmicSting vulnerability to hack thousands of Adobe Commerce (aka Magento Stores).
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Hackers Exploit CosmicSting Flaw
A critical security vulnerability known as “CosmicSting” which is tracked as “CVE-2024-34102” has enabled seven distinct hacker groups to compromise “4275 Adobe Commerce and Magento e-commerce platforms” since June 11, 2024.
The vulnerability specifically targeted the cryptographic key system of the platforms.
This enabled threat actors to generate “unauthorized API authorization tokens,” which gave them access to inject malicious code called “payment skimmers” into store checkout pages via “CMS blocks.”
Despite Adobe releasing a security patch on July 8th with a critical severity rating, approximately “5% of all stores were affected.”
This happened due to the update that didn’t automatically invalidate existing cryptographic keys, which left the merchants vulnerable unless they manually removed “old keys.”
The attack groups, identified as:-
- Bobry (using whitespace encoding)
- Polyovki (utilizing cdnstatics.net)
- Surki (employing 42-based encryption)
- Burunduki (implementing websocket sniffers)
- Ondatry (targeting MultiSafePay payment systems)
The operators of these groups employed various sophisticated techniques like “malware loaders,” “custom obfuscation methods,” and “data exfiltration” via compromised “proxy stores” to steal sensitive customer payment information from affected merchants, Sansec said.
The 2024 CosmicSting cyber attack campaign has emerged as a significant threat targeting vulnerable e-commerce platforms through sophisticated “encryption key” exploitation techniques.
Multiple threat actors like “Group Khomyaki” (utilizing two-letter JSC malware loader endpoints with 2-character URIs), “Group Belki” (deploying Remote Code Execution via exploit combinations with CNEXT), and the “Surki group” (known for skimming malware injection) are actively exploiting unpatched systems.
The attackers’ methodology involves extracting secret encryption keys via “automated scanning,” which helps them establish backdoors in “system files” and “background processes”.
Apart from this, deploying the “CosmicSting malware” enables unauthorized server access and code execution.
While approximately “75% of Adobe Commerce and Magento installations” remained unpatched when the automated encryption key scanning began.
Mitigations
To mitigate these threats merchants are strongly advised to implement three critical security measures:-
- Upgrade to the latest version of their e-commerce platform.
- Rotate and invalidate old encryption keys.
- Deploy server-side malware and vulnerability monitoring solutions.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar