Summary
Adobe Commerce and Magento online stores are being targeted in CosmicSting attacks at an increasingly scaling rate, with threat actors hacking approximately 5% of all Adobe Commerce and Magento stores. The CosmicSting vulnerability, designated CVE-2024-34102, is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc’s iconv function, an attacker can achieve remote code execution on the target server.
Community Response
With the prevalence of e-commerce platforms in the retail and hospitality sector, CosmicSting presents an active and ongoing threat to those who utilize the Adobe Commerce and Magento online stores to facilitate services online. RH-ISAC Members who utilize Adobe Commerce and Magento online stores are encouraged to review the intelligence included in this report, the original Sansec report linked above, and review the mitigations provided below.
Background
The critical flaw impacts Adobe Commerce 2.4.7 and earlier, Adobe Commerce Extended Support 2.4.3-ext-7 and earlier, Magento Open Source 2.4.7 and earlier, and Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0. Security company Sansec has been tracking attacks since June 2024 and observed 4,275 stores breached in CosmicSting attacks, including high-profile victims such as Whirlpool, Ray-Ban, National Geographic, Segway, and Cisco.
The researchers are now tracking seven different threat groups that employ CosmicSting to compromise unpatched sites, named “Bobry,” “Polyovki,” “Surki,” “Burunduki,” “Ondatry,” “Khomyaki,” and “Belki.” These groups are considered financially motivated opportunists, breaching the sites to steal credit card and customer information. The threat actors are leveraging CosmicSting to steal Magento cryptographic keys, inject payment skimmers to steal cards from order checkout webpages, and even combat each other for control over vulnerable stores.
Remediations
Website administrators are strongly advised to move to the following versions (or later) as soon as possible:
- Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Adobe Commerce Extended Support 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8
- Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Adobe Commerce Webhooks Plugin version 1.5.0
Sansec has provided a tool to check if impacted sites are vulnerable and an “emergency hotfix” has been released to block most CosmicSting attacks, with both available here.