{"id":666,"date":"2024-10-02T11:51:12","date_gmt":"2024-10-02T17:51:12","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=666"},"modified":"2024-10-02T11:51:16","modified_gmt":"2024-10-02T17:51:16","slug":"magento-and-adobe-commerce-stores-are-victims-of-the-cosmicsting-attack","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/10\/02\/magento-and-adobe-commerce-stores-are-victims-of-the-cosmicsting-attack\/","title":{"rendered":"Magento and Adobe Commerce Stores Are Victims of the CosmicSting Attack."},"content":{"rendered":"\n

Introduction<\/strong><\/h4>\n\n\n\n

Cybersecurity researchers have discovered evidence of a large-scale attack targeting Adobe Commerce and Magento online retailers. Roughly 5% of these online marketplaces have been compromised by the so-called “CosmicSting” security holes. With a CVSS [Common Vulnerability Scoring System (CVSS) ]<\/strong> severity rating of 9.8<\/strong>, CVE-2024-34102<\/strong> is one of the most serious vulnerabilities that have been recently discovered. With the help of the mysterious researcher known only as “spacewasp,” Adobe patched this vulnerability in June 2024. But the vulnerability is still wreaking havoc on affected sites, even after applying the patch.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Fig. 1.1<\/p>\n\n\n\n

Adobe Commerce and Magento e-commerce platforms are susceptible to the CosmicSting vulnerability.<\/p>\n\n\n\n

Understanding the CosmicSting Exploit (CVE-2024-34102)<\/strong><\/h4>\n\n\n\n

An XML External Entity (XXE) <\/strong>vulnerability can be exploited by the CosmicSting Exploit (CVE-2024-34102) to execute remote malware on systems that have not been patched. This security hole allows remote attackers to potentially take control of the server and access any data stored there. One Dutch security firm, Sansec<\/strong>, has called this flaw the “worst bug to hit Magento and Adobe Commerce stores in the past two years.” Their research shows that every hour, three to five online stores<\/strong> are affected.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Fig. 1.2<\/p>\n\n\n\n

The Effects and Exploitation<\/strong><\/p>\n\n\n\n

The consequences of CosmicSting are substantial. The private encryption key of Magento has been the target of multiple attacks that have taken advantage of this vulnerability. An attacker might use this key to create JSON Web Tokens (JWTs)<\/strong>, giving them full administrative access to the platform’s API. With this level of administrative access, hackers can use the Magento REST API<\/strong> to insert scripts that do harm to the website.Even with the latest patch applied, you may still be vulnerable to this exploit. If website owners really want to take security seriously, they should rotate their encryption keys<\/strong> on a regular basis. Patches that do not invalidate old keys leave systems vulnerable to attack.<\/p>\n\n\n\n

Most recent Events: Unifying CosmicSting with CNEXT<\/strong><\/p>\n\n\n\n

In August 2024, together with CosmicSting, attackers began exploiting a new vulnerability called CNEXT <\/strong>(CVE-2024-2961). The CNEXT vulnerability is one way the GNU C library (glibc)<\/strong> could provide remote code execution<\/strong>. This impacts the iconv library<\/strong>. In order to get complete control of the infected systems, attackers can escalate their privileges by combining these two vulnerabilities.<\/p>\n\n\n\n

According to Sansec, when these two vulnerabilities are coupled, they provide a substantial danger. The combination of CosmicSting and CNEXT allows attackers to read any file they want and execute malicious code remotely. With ongoing access<\/strong> to the system, threat actors might install malicious scripts and steal critical information, including payment details<\/strong>, from unsuspecting consumers.<\/p>\n\n\n\n

End Objectives: Predators and Victims of Identity Theft<\/strong><\/p>\n\n\n\n

Websites powered by Magento and Adobe Commerce are frequently targeted by assaults aimed at payment skimmers<\/strong>. These “skimmers” sneak up on consumers and transmit their credit card information to the store. Attackers use a variety of techniques to keep their malicious scripts secret and undiscovered.<\/p>\n\n\n\n

The activities in question have been associated with various distinct hacking groups. Some of the more prominent types are as follows:<\/p>\n\n\n\n

    \n
  1. Group Bobry<\/strong> \u2013 Utilising whitespace encoding<\/strong>, the code that controls a payment skimmer on an off-site server is concealed.<\/li>\n\n\n\n
  2. Group Polyovki<\/strong> \u2013 Injecting malicious scripts from cdnstatics.net\/lib.js<\/strong> is done by the Polyovki Group.<\/li>\n\n\n\n
  3. Group Surki<\/strong> \u2013The Surki Group uses XOR encoding<\/strong> to conceal JavaScript code.<\/li>\n\n\n\n
  4. Group Burunduki<\/strong> \u2013 A dynamic skimmer code can be accessed by Group Burunduki over a WebSocket<\/strong> hosted at wss:\/\/jgueurystatic[.]xyz:8101.<\/strong><\/li>\n\n\n\n
  5. Group Ondatry<\/strong> \u2013 The Ondatry Group uses their own virus to create what appear to be legitimate payment forms.<\/li>\n\n\n\n
  6. Group Khomyaki<\/strong> \u2013 The Khomyaki group uses a 2-character URI<\/strong> (such rextension[.]net\/za\/) to steal sensitive financial data and send it to dubious websites.<\/li>\n\n\n\n
  7. Group Belki<\/strong> \u2013The Belki organisation uses a combination of CNEXT<\/strong> and CosmicSting<\/strong> to install backdoors and deploy skimmer malware.<\/li>\n<\/ol>\n\n\n\n

    Renowned Victims<\/strong><\/p>\n\n\n\n

    The CosmicSting assault has compromised the data of well-known brands such as Ray-Ban<\/strong>, National Geographic<\/strong>, Cisco<\/strong>, Whirlpool<\/strong>, and Segway<\/strong>. Concerned about the scale of the attacks, the e-commerce community has begun to take action, and security agencies throughout the world have joined in. After adding CosmicSting to its Known Exploited Vulnerabilities (KEV)<\/strong> database, the United States Cybersecurity and Infrastructure Security Agency (CISA)<\/strong> urged enterprises to act immediately midway through July 2024.<\/p>\n\n\n\n

    Ways to Avoid Danger and Maximise Success:<\/strong><\/p>\n\n\n\n

    Sansec has issued the following demands to all Magento and Adobe Commerce merchants due to the seriousness of the situation:<\/p>\n\n\n\n