Introduction
Cybersecurity researchers have discovered evidence of a large-scale attack targeting Adobe Commerce and Magento online retailers. Roughly 5% of these online marketplaces have been compromised by the so-called “CosmicSting” security holes. With a CVSS [Common Vulnerability Scoring System (CVSS) ] severity rating of 9.8, CVE-2024-34102 is one of the most serious vulnerabilities that have been recently discovered. With the help of the mysterious researcher known only as “spacewasp,” Adobe patched this vulnerability in June 2024. But the vulnerability is still wreaking havoc on affected sites, even after applying the patch.
Fig. 1.1
Adobe Commerce and Magento e-commerce platforms are susceptible to the CosmicSting vulnerability.
Understanding the CosmicSting Exploit (CVE-2024-34102)
An XML External Entity (XXE) vulnerability can be exploited by the CosmicSting Exploit (CVE-2024-34102) to execute remote malware on systems that have not been patched. This security hole allows remote attackers to potentially take control of the server and access any data stored there. One Dutch security firm, Sansec, has called this flaw the “worst bug to hit Magento and Adobe Commerce stores in the past two years.” Their research shows that every hour, three to five online stores are affected.
Fig. 1.2
The Effects and Exploitation
The consequences of CosmicSting are substantial. The private encryption key of Magento has been the target of multiple attacks that have taken advantage of this vulnerability. An attacker might use this key to create JSON Web Tokens (JWTs), giving them full administrative access to the platform’s API. With this level of administrative access, hackers can use the Magento REST API to insert scripts that do harm to the website.Even with the latest patch applied, you may still be vulnerable to this exploit. If website owners really want to take security seriously, they should rotate their encryption keys on a regular basis. Patches that do not invalidate old keys leave systems vulnerable to attack.
Most recent Events: Unifying CosmicSting with CNEXT
In August 2024, together with CosmicSting, attackers began exploiting a new vulnerability called CNEXT (CVE-2024-2961). The CNEXT vulnerability is one way the GNU C library (glibc) could provide remote code execution. This impacts the iconv library. In order to get complete control of the infected systems, attackers can escalate their privileges by combining these two vulnerabilities.
According to Sansec, when these two vulnerabilities are coupled, they provide a substantial danger. The combination of CosmicSting and CNEXT allows attackers to read any file they want and execute malicious code remotely. With ongoing access to the system, threat actors might install malicious scripts and steal critical information, including payment details, from unsuspecting consumers.
End Objectives: Predators and Victims of Identity Theft
Websites powered by Magento and Adobe Commerce are frequently targeted by assaults aimed at payment skimmers. These “skimmers” sneak up on consumers and transmit their credit card information to the store. Attackers use a variety of techniques to keep their malicious scripts secret and undiscovered.
The activities in question have been associated with various distinct hacking groups. Some of the more prominent types are as follows:
- Group Bobry – Utilising whitespace encoding, the code that controls a payment skimmer on an off-site server is concealed.
- Group Polyovki – Injecting malicious scripts from cdnstatics.net/lib.js is done by the Polyovki Group.
- Group Surki –The Surki Group uses XOR encoding to conceal JavaScript code.
- Group Burunduki – A dynamic skimmer code can be accessed by Group Burunduki over a WebSocket hosted at wss://jgueurystatic[.]xyz:8101.
- Group Ondatry – The Ondatry Group uses their own virus to create what appear to be legitimate payment forms.
- Group Khomyaki – The Khomyaki group uses a 2-character URI (such rextension[.]net/za/) to steal sensitive financial data and send it to dubious websites.
- Group Belki –The Belki organisation uses a combination of CNEXT and CosmicSting to install backdoors and deploy skimmer malware.
Renowned Victims
The CosmicSting assault has compromised the data of well-known brands such as Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway. Concerned about the scale of the attacks, the e-commerce community has begun to take action, and security agencies throughout the world have joined in. After adding CosmicSting to its Known Exploited Vulnerabilities (KEV) database, the United States Cybersecurity and Infrastructure Security Agency (CISA) urged enterprises to act immediately midway through July 2024.
Ways to Avoid Danger and Maximise Success:
Sansec has issued the following demands to all Magento and Adobe Commerce merchants due to the seriousness of the situation:
- Upgrade to the latest version of Magento or Adobe Commerce, which includes patches for both CosmicSting and CNEXT vulnerabilities.
- Rotate secret encryption keys to prevent unauthorised access via previously stolen keys.
- Invalidate old encryption keys to ensure that attackers can no longer use them to gain access.
- Regularly monitor your system for signs of compromise, such as unexpected API calls or unauthorised script injections.
- Implement security measures like Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) to detect and block malicious activity.
Adobe Commerce and Magento are two e-commerce platforms that are especially susceptible to the CosmicSting vulnerability. By taking advantage of various security flaws, hackers might potentially gain control of websites and steal critical financial data. All affected companies must promptly implement measures to secure their platforms, repair any vulnerabilities, and rotate encryption keys. Serious financial losses and persistent exploitation can ensue from inaction.
Reference
Blog Post : https://thehackernews.com/2024/10/alert-adobe-commerce-and-magento-stores.html
Fig 1.1: https://www.canva.com/design/DAGSbH3th-w/Q5BptwkpwRad7mVzDDVNJQ/edit
Cosmicsting :https://sansec.io/research/cosmicsting
Amazing post Krupali, Thoughtful read! Patching systems can get delayed in organizations and also hurried response in patching without testing can result in Crowdstrike Falcon scenario. It’s alarming , how long this is stretching and why systems cannot be quickly patched to get the fix issued and such vulnerabilities can be resolved. The biggest rush in deploying applications without rigorous testing adds pressure on development teams to come up with new features and testers to roll out new use cases which may in turn give fodder to cyber preys to jump on.
Great post Krupali, what’s really interesting is the link you made between the CNEXT vulnerability, and CosmicSting. By showing how these vulnerabilities might be chained together, you really helped illustrate the compounding nature of security threats and the significance of comprehensive patching techniques. Your work really highlights how important it is to maintain vigilant watchfulness, apply patches on time, and take proactive security steps in an increasingly complicated digital environment.
Great post, Krupali!
Around 5% of online stores were compromised because of Cosmicsting vulnerability. Even though Adobe patched the vulnerability, many e-commerce sites continue to be at risk. The exploitation of Cosmicsting and CNext vulnerabilities together poses a major threat, as exploitation of these vulnerabilities provides attackers with more control over the system. This security incident serves as an important reminder for the urgent need for timely patching, robust key management practices, continuous security monitoring and the use of IDS and WAF.
Excellent post Krupali! I know XXE is considered a serious and unfortunately common issue, and is included under one of the vulnerabilities Open Worldwide Application Security Project (OWASP) Top 10: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#:~:text=An%20XML%20eXternal%20Entity%20injection,the%20Common%20Weakness%20Enumeration%20referential.
Being able to inject code is a serious and scary vulnerability, as you clearly explained.
One thing that struck me is how ingenious the attacks were. Being able to encode their attacks using whitespace or XOR is incredible! It’s too bad attackers don’t put their skills to more benevolent uses.
That’s an excellent post Krupali! I noticed how you described the importance of regularly rotating encryption keys! The idea that fixing the system alone won’t be sufficient if the old keys are still in use is unnerving. I think a lot of businesses overlook this step, but it’s really important to stop ongoing access to compromised systems. The sheer number of hacking groups involved in this is astounding. XOR and whitespace encoding are two tactics that every group uses to remain under detection. That just serves to show how cunning and well-prepared the fraudsters are. There isn’t just one huge attack; rather, numerous factions are combining to accomplish the same aim.
This is jaw-dropping. Payment information is one of the most sensitive categories of Personally Identifiable Information (PII) out there and seeing that this was compromised in this breach is absolutely jaw-dropping and scary. The security world is always evolving and bad actors are always evolving as well and looking for ways to improve their strategies and make them more stealthy. This post is an eye-opener for me and gives information on things to look out for. The vulnerability is particularly very dangerous, especially considering that it still poses a threat after patches are applied. The recommendations for WAF and the rotation of encryption keys are great because I believe WAF is a requirement for PCI DSS (Payment Card Industry Data Security Standard) compliant merchants. Great post once again and an awesome knowledge add.
well done!
The article you’ve shared highlights a significant cybersecurity threat to Magento and Adobe Commerce platforms known as the CosmicSting vulnerability, along with its exploitation by cybercriminal groups, and this shows that business owners need to take some cybersecurity measures to close down the vulnerability of their systems by Update to the latest Magento or Adobe Commerce version that includes patches for both the CosmicSting and CNEXT vulnerabilities.
Rotate encryption keys regularly to avoid using stolen keys.
Invalidate old encryption keys to prevent unauthorized access via previously compromised keys.