Big brands among thousands infected by payment-card-stealing CosmicSting crooks

October 4, 2024 TH Author

Updated Ray-Ban, National Geographic, Whirlpool, and Segway are among thousands of brands whose web stores were reportedly compromised by criminals exploiting the CosmicSting flaw in hope of stealing shoppers’ payment card info as they order stuff online.

CosmicSting is the name for a critical vulnerability, CVE-2024-34102, in Adobe’s Commerce and Magento software, and can be used to tamper with the pages of sites so that user data can quietly siphoned.

At least seven cybercrime gangs are said to be behind the ongoing cyber-heists exploiting CosmicSting. Over the summer here in the northern hemisphere, the crooks managed to hit 4,275 merchants that use Commerce and Magento to run their online shops, eCommerce monitoring firm Sansec reported this week. That’s apparently five percent of all Adobe Commerce and Magento stores.

We’ve asked Sansec and the above-named victims for more details, and to determine whether they’ve been able to patch their websites yet.

The Register spoke with Cisco last month, shortly after miscreants exploited CosmicSting to attack Switchzilla’s Magento-based merch site, and a spokesperson assured us the security weakness had been addressed. “Based on our investigation, the issue impacted only a limited number of site users, and those users have been notified,” the Cisco spokesperson said. “No credentials were compromised.”

For what it’s worth, CosmicSting can be exploited to not just steal card info, if available, but any information from a compromised site’s page, such as customer login credentials and data.

Adobe’s Commerce and Magento is widely used by online shopping sites, and thus attract crooks wanting to intercept and steal data from shoppers so that it can be used for fraud. Because of this, Magento-targeting exploits are collectively labeled Magecart attacks. Adobe Commerce is essentially powered by Magento, which the Photoshop giant bought in 2018 for $1.68 billion.

Getting down to details: CVE-2024-34102 is a 9.8-out-of-10 CVSS-rated unauthenticated XXE (XML External Entity) vulnerability that can be exploited to ultimately alter webpages served by vulnerable Adobe Commerce and Magento deployments.

In the case of these aforementioned attacks, the crooks use CosmicSting to add malicious JavaScript to checkout pages to steal customers’ payment information as they type it in, or alter other pages to take other data. It was discovered and reported by Sergey Temnikov.

CVE-2024-34102 can be optionally combined with the high-severity CVE-2024-2961 – a glibc buffer overflow that’s accessible on Linux from PHP – to achieve remote code execution on a vulnerable Commerce or Magento server host. That latter flaw can be used to install a backdoor on the machine for persistent access.

Adobe patched CVE-2024-34102 on June 11, but by then “automated attacks had already begun,” according to Sansec.

At least seven distinct groups are running “large scale” CosmicSting campaigns, in which they use the flaw to obtain secret Magento keys from installations to generate tokens that grant unrestricted access to the Magento API, allowing sites to be edited.

With Magecart attacks, the first criminals to compromise a site will usually block others from moving in on their turf. “However, the CosmicSting vulnerability prevents this, leading to multiple groups fighting for control over the same store and evicting each other again and again,” the Sansec forensics team noted.

In some cases, three different gangs were spotted squabbling over the same store, we’re told.

As part of its ongoing analysis, Sansec has collected different CosmicSting loaders, each associated with different infrastructure and data-stealing methods, and published a full list of attack indicators, which is worth checking out, especially if you operate an online Magento shop.

Despite the ongoing warnings, “Sansec projects that more stores will get hacked in the coming months,” the researchers wrote. ®

Updated to add at 2245 UTC

The Register heard back from Sansec and Ray Ban post publication, and it appears the online stores are taking steps to prevent more CosmicSting attacks.

For the most part, anyway.

The sunglasses slinger did not answer our questions, and instead gave us the usual, “we take security very seriously,” spiel. That said, according to Sansec, Ray Ban did patch its systems on October 3.

“National Geographic still infected,” we’re told, while “the others fixed it in the last couple weeks after we notified them.”

Of the 4,275 merchants, about half removed the malware, we’re told. “However we cannot tell if they actually cycled their keys,” the researchers noted. “If not, they will likely get reinfected within days.”