Cisco Merchandise Store Compromised by Hackers Using Malicious JavaScript

September 4, 2024

Cisco's online merchandise store, which sells company-themed items, has been compromised by hackers who injected malicious JavaScript code into the site. This code was designed to steal sensitive customer details during the checkout process. The exact method by which the malicious JavaScript was introduced to Cisco's store remains unknown, but anonymous researchers suggest it seems to be a CosmicSting attack (CVE-2024-34102).

The Cisco Merchandise Store, a gift shop that offers Cisco-branded items such as apparel and accessories, is currently offline and undergoing maintenance. Cisco stores across the U.S., Europe, and Asia Pacific, Japan and China (APJC) are all unavailable at this time.

The malicious JavaScript was delivered from the domain rextension.[net], which was registered on August 30, just two days prior to the discovery of the attack. This suggests the breach likely occurred over the weekend. The script is heavily obfuscated and designed to collect data entered during the checkout process, including all required credit card details for online payments.

Further analysis of the deobfuscated script revealed that it is also capable of stealing additional information such as postal addresses, phone numbers, email addresses, and user login credentials. The researchers who discovered the attack believe the threat actor likely exploited the CosmicSting vulnerability (CVE-2024-34102) to insert the malicious JavaScript into Cisco's store.

CosmicSting is a severe security flaw affecting the Adobe Commerce (Magento) shopping platform. It is an XML external entity injection (XXE) vulnerability that enables an attacker to access private data. In a CosmicSting attack, the attacker's goal is to inject HTML or JavaScript code into CMS blocks that are rendered in the checkout process, as explained by Willem de Groot, founder and architect at Sansec.

While the Cisco store is predominantly used by employees purchasing merchandise for personal use or as gifts, the malicious script could potentially allow the attackers to collect Cisco employee credentials. Cisco was contacted for comments regarding the attack, but no response had been received at the time of publishing.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.