Distinct groups of cybercriminals have been exploiting the CosmicSting flaw in Adobe’s Commerce and Magento software to steal customers’ payment information.
According to research by Sansec, miscreants have used the flaw, also tracked as CVE-2024-34102, to hack at least 5% of all Adobe Commerce and Magento stores this summer, breaking into thousands of brands using the e-commerce solution, including a clutch of household names.
“Seven distinct groups are using CosmicSting attacks to plant malicious code on victim stores,” Sansec said in a blog post. “Among the victims are Ray Ban, National Geographic, Cisco, Whirlpool, and Segway.”
Last week, Adobe advised users to immediately apply a hotfix for the vulnerability as they are aware that the flaw has been exploited in the wild. In June, the software giant released an update including the patch as well as an isolated patch for customers to seal the critical security hole.
Widely used e-commerce customizing tools
Magento is an open-source e-commerce platform, launched in 2008, designed to help businesses build and customize online stores with a range of features, including product management, payment gateways, and shipping options.
In 2018 Adobe acquired Magento to power a fully-managed, cloud-hosted offering within the Adobe Experience Cloud. A version of this offering was later paywalled within a license by Adobe to package a new, larger offering called Adobe Commerce.
Magento is available as a free e-commerce tool for smaller businesses while Adobe Commerce has a license fee, charging a percentage of a business’s annual revenue.
As of 2024 these stores, together, support over 230k active websites globally. Earlier in June, Sansec Forensics Team had warned that more than 75% of these stores were vulnerable to CosmicSting attacks.
CosmicSting attacks pose a serious threat
In a separate blog explaining the details of the CosmicSting attacks, Sansec said these stores are getting hacked at a rate of 3 to 5 per hour, and merchants need to patch this flaw immediately.
The bug, with a severity rating of CVSS 9.8 out of 10, can be used to read any files, including passwords and other secrets. “The typical attack strategy is to steal your secret crypt key from app/etc/env.php and use that to modify your CMS blocks via the Magento API,” Sansec said. “Then, attackers inject malicious Javascript to steal your customer’s data.”
Combined with another bug (CVE-2024-2961), attackers can also run code directly on customers’ servers and use that to install backdoors, the cybersecurity firm added.
Versions of Magento and Adobe Commerce vulnerable to a CosmicSting attack include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier. Enterprises are advised to immediately patch and apply hotfix for the flow.
Also by Shweta Sharma:
Over 80% of phishing sites now target mobile devices
Critical Ivanti flaw exploited despite available patches
Data of 300k digiDirect customers leaked in alleged attack
>
using WordPress and
No Responses