Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked as CVE-2024-34102 (aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months.
The flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this issue by sending a crafted XML document that references external entities. The experts pointed out that the exploitation of this issue does not require user interaction. The flaw impacts Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. Adobe warned that it is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog in July 2024.
According to Sansec, CosmicSting (CVE-2024-34102) is the most severe bug impacting Magento and Adobe Commerce stores in two years, with hacks occurring at a rate of 3 to 5 per hour. Merchants are urged to implement countermeasures immediately.
An attacker can also chain the flaw with the vulnerability CVE-2024-2961 to run code arbitrary code on the underlying server and install backdoors.
“CosmicSting targets a critical bug in the Adobe Commerce and Magento platforms. Bad actors use it to read any of your files, such as passwords and other secrets. The typical attack strategy is to steal your secret crypt key from app/etc/env.php
and use that to modify your CMS blocks via the Magento API. Then, attackers inject malicious Javascript to steal your customer’s data.” reads the advisory published by Sansec. “Combined with another bug (CVE-2024-2961), attackers can also run code directly on your servers and use that to install backdoors.”
The exploitation has a severe impact on e-commerce, the researchers reported that cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. The attacker also compromised e-stores of major organizations, including Ray-Ban, National Geographic, Cisco, Whirlpool and Segway. Sansec experts reported that at least seven distinct groups are exploiting the vulnerability CosmicSting to deploy e-skimmers on victim stores.
“Sansec research shows that seven different groups have been hacking into 4275 online stores since the publication of CVE-2024-34102 (also known as CosmicSting) on June 11th. Despite ongoing warnings, five percent of all Adobe Commerce and Magento stores ended up with a payment skimmer on their checkout page this summer.” reports Sansec.
Threat groups exploiting this vulnerability include Bobry, Polyovki (infecting over 650 stores), Surki, Burunduki, Ondatry, Khomyaki, and Belki. The Ondatry group compromised over 4,000 e-stores in 2022 using the TrojanOrder vulnerability, but they have now switched to CosmicSting.
Adobe issued a critical severity rating on July 8th after automated attacks began, stealing thousands of cryptographic keys. However, the experts noticed that updating systems didn’t automatically invalidate old keys, leaving stores vulnerable. Adobe provided a manual guide to remove old keys, but not all merchants followed it.
“Each group uses CosmicSting attacks to steal secret Magento cryptographic keys.” continues Sansec. “This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through “CMS blocks”
Administrators of
Adobe Commerce and Magento e-store are recommended to upgrade their installations as soon as possible.Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2024-34102)