CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores
October 3, 2024
Adobe Commerce and Magento online stores are facing a wave of 'CosmicSting' attacks, with threat actors successfully compromising approximately 5% of all stores. These attacks take advantage of the CosmicSting vulnerability (CVE-2024-32102), a critical information disclosure flaw. When this vulnerability is exploited in conjunction with CVE-2024-2961, a security issue in glibc's iconv function, attackers can achieve remote code execution on the target server.
The attacks have been monitored by website security firm Sansec since June 2024. During this period, the company has observed 4,275 stores falling victim to CosmicSting attacks. High-profile victims of these attacks include well-known brands such as Whirlpool, Ray-Ban, National Geographic, Segway, and Cisco.
According to Sansec, multiple threat actors are involved in these attacks. The speed of patching these vulnerabilities is not keeping pace with the urgency of the situation, leading to an increasing number of compromised stores. Sansec warns, "Sansec projects that more stores will get hacked in the coming months, as 75% of the Adobe Commerce & Magento install base hadn't patched when the automated scanning for secret encryption keys started."
When the CosmicSting vulnerability was disclosed, it was identified as one of the most severe threats to the e-commerce ecosystem. Sansec is currently tracking seven different threat groups that are exploiting CosmicSting to compromise unpatched sites. These groups, named 'Bobry,' 'Polyovki,' 'Surki,' 'Burunduki,' 'Ondatry,' 'Khomyaki,' and 'Belki,' are primarily motivated by financial gain, breaching sites to steal credit card and customer information.
These threat actors are using CosmicSting to steal Magento cryptographic keys, inject payment skimmers into order checkout webpages, and even compete with each other for control over vulnerable stores. The malicious scripts they use are often disguised as well-known JavaScript libraries or analytics packages.
Despite multiple warnings from Sansec, many of the compromised sites, including Ray-Ban, Whirlpool, National Geographic, and Segway, have not responded. Some sites, such as Segway and Whirlpool, appear to have addressed the issue, while the status of others remains uncertain.
In light of these attacks, website administrators are strongly advised to update their systems to the latest versions as soon as possible. Sansec has also provided a tool for site owners to check their vulnerability to CosmicSting attacks and has released an 'emergency hotfix' to block most of these attacks.
Related News
- CosmicSting Exploit Targets Adobe Commerce and Magento Stores, Impacting 5% of All Stores
- Major Supply Chain Attack Impacts Over 110,000 Websites Through Hijacked Polyfill Service
- CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites
Latest News
- Critical Security Flaws Detected in Optigo Networks ONS-S8 Aggregation Switch
- Zimbra Email Servers Under Attack: Active Exploitation of Critical RCE Flaw
- CosmicSting Exploit Targets Adobe Commerce and Magento Stores, Impacting 5% of All Stores
- Critical Vulnerabilities in Tank Gauge Systems Could Lead to Remote Attacks
- Critical Vulnerability in NVIDIA Container Toolkit Allows Complete Host System Control
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.