CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores

October 3, 2024

Adobe Commerce and Magento online stores are facing a wave of 'CosmicSting' attacks, with threat actors successfully compromising approximately 5% of all stores. These attacks take advantage of the CosmicSting vulnerability (CVE-2024-32102), a critical information disclosure flaw. When this vulnerability is exploited in conjunction with CVE-2024-2961, a security issue in glibc's iconv function, attackers can achieve remote code execution on the target server.

The attacks have been monitored by website security firm Sansec since June 2024. During this period, the company has observed 4,275 stores falling victim to CosmicSting attacks. High-profile victims of these attacks include well-known brands such as Whirlpool, Ray-Ban, National Geographic, Segway, and Cisco.

According to Sansec, multiple threat actors are involved in these attacks. The speed of patching these vulnerabilities is not keeping pace with the urgency of the situation, leading to an increasing number of compromised stores. Sansec warns, "Sansec projects that more stores will get hacked in the coming months, as 75% of the Adobe Commerce & Magento install base hadn't patched when the automated scanning for secret encryption keys started."

When the CosmicSting vulnerability was disclosed, it was identified as one of the most severe threats to the e-commerce ecosystem. Sansec is currently tracking seven different threat groups that are exploiting CosmicSting to compromise unpatched sites. These groups, named 'Bobry,' 'Polyovki,' 'Surki,' 'Burunduki,' 'Ondatry,' 'Khomyaki,' and 'Belki,' are primarily motivated by financial gain, breaching sites to steal credit card and customer information.

These threat actors are using CosmicSting to steal Magento cryptographic keys, inject payment skimmers into order checkout webpages, and even compete with each other for control over vulnerable stores. The malicious scripts they use are often disguised as well-known JavaScript libraries or analytics packages.

Despite multiple warnings from Sansec, many of the compromised sites, including Ray-Ban, Whirlpool, National Geographic, and Segway, have not responded. Some sites, such as Segway and Whirlpool, appear to have addressed the issue, while the status of others remains uncertain.

In light of these attacks, website administrators are strongly advised to update their systems to the latest versions as soon as possible. Sansec has also provided a tool for site owners to check their vulnerability to CosmicSting attacks and has released an 'emergency hotfix' to block most of these attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.