Cybercriminals Exploit CosmicSting Vulnerability, Hacking Thousands of Adobe Commerce and Magento Stores

by do son · Published October 3, 2024 · Updated October 3, 2024

Malware in the National Geographic store | Image: Sansec

In a significant cybersecurity breach this summer, cybercriminals compromised approximately 5% of all Adobe Commerce and Magento stores, affecting over 4,275 online retailers—including major brands like Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway. The attacks were orchestrated by seven different hacking groups exploiting the CosmicSting vulnerability (CVE-2024-34102) to inject malicious code and steal sensitive customer data.

Since the disclosure of the CosmicSting vulnerability in June, warnings about its critical nature went unheeded by many businesses. Despite Adobe designating the flaw as critical on July 8 and issuing guidelines for manually removing outdated cryptographic keys, thousands of stores remained exposed. The vulnerability allowed attackers to steal secret cryptographic keys, which were not automatically revoked during system updates, leaving a door wide open for exploitation.

Each of the seven hacker groups sought to exploit CosmicSting to pilfer Magento’s cryptographic keys and gain unauthorized access to customer information. With these keys, they generated API authorization tokens to embed payment skimmers on checkout pages, siphoning off customers’ financial data. Intriguingly, the vulnerability did not enable the initial attackers to prevent subsequent groups from infiltrating the same stores, leading to a cyber turf war over control of the compromised sites.

To streamline tracking and differentiation, cybersecurity experts at Sansec assigned these groups

Group Bobry: This group employs whitespace encoding to camouflage malicious code that triggers a payment skimmer located on a separate server.
Group Polyovki: This group utilizes a script injection from cdnstatics.net/lib.js for its attacks.
Group Surki: This group relies on XOR encoding to hide its JavaScript code, making it difficult to detect.
Group Burunduki: This group retrieves dynamic skimmer code from a WebSocket connection at wss://jgueurystatic[.]xyz:8101.
Group Ondatry: This group employs custom JavaScript loader malware to insert fake payment forms that closely resemble those used by legitimate merchant sites.
Group Khomyaki: This group steals payment data and sends it to domains with a distinctive 2-character URI pattern, such as “rextension[.]net/za/”.
Group Belki: This group utilizes the CosmicSting exploit in conjunction with CNEXT to install backdoors and skimmer malware on compromised systems.

Following the vulnerability’s critical designation, large-scale automated attacks began in earnest. Thousands of secret cryptographic keys were stolen, and without automatic revocation upon system updates, the attackers faced little resistance. The overlapping incursions by multiple groups led to a struggle for dominance over the same compromised stores.

Sansec strongly advises all Magento and Adobe Commerce store owners to urgently update their systems to the latest version and to revoke and replace old cryptographic keys. Implementing specialized server-side monitoring tools can further bolster defenses against such sophisticated attacks.

Sansec reported that none of their clients were affected, attributing this to proactive security measures. However, they predict a continued increase in compromised stores in the coming months, as approximately 75% of Adobe Commerce and Magento stores have yet to apply the necessary patches.