• Blog
  • Magecart & Web-skimming
  • CosmicSting – Magecart Attacks are Back

CosmicSting – Magecart Attacks are Back

Onn Nir

Onn Nir

Content Manager

  • October 20, 2024
  • 4 min read
  • October 20, 2024
  • 4 min read
cosmicsting: magecart attacks are back
Share article
twitter linkedin medium facebook

Since the summer (here in the northern hemisphere), seven or more attacker groups have been busy exploiting vulnerabilities in Adobe Commerce and Magento-powered stores to steal customer credentials. These now-patched exploits (rated 9.8 out of 10 for severity by CVSS) have been tracked as CVE-2024-34102, but they are better known by the name CosmicSting.

Commerce and Magento are in widespread use among online shopping sites, which is why so many crooks are keen to snag their shoppers’ data and defraud them. Magento pretty much powers Adobe Commerce and these targeted exploits of Magento-based stores are collectively known as Magecart attacks. Adobe paid $1.68 billion for Magento in 2018 and might be forgiven for wondering whether it was worth it, given the persistence of attacks against it.

Here are the affected products:

  • Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
  • Adobe Commerce Extended Support 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier.
  • Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
  • Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0

Web security firm Sansec has been following this outbreak since it was discovered in June 2024 and it reports that it’s affected an astonishing 5% of all stores worldwide, with 4,275 breached so far. Big-name victims include Whirlpool, Ray-Ban, National Geographic, Segway, and Cisco. However, victims of all sizes may have something else to contend with too. Adding insult to injury, bad actors have also been piggybacking another attack, tracked as CVE-2024-2961 (also since patched) to run code directly on retailers’ servers and use it to install backdoors for ongoing access.

Always patch early

The reason why so many stores have been affected is that despite Adobe issuing a critical severity rating on July 8, thousands of secret encrypted keys had already been stolen via automated attacks. When merchants updated their systems, these keys were not automatically invalidated, so their stores could be tampered with by unauthorized parties. Adobe did put out a guide explaining how merchants could remove their old keys manually, but not all of them did so.

Other companies that want to avoid the same fate should be patching these vulnerabilities, but many aren’t responding quickly enough. Their tardiness has been noticed and partly explains why multiple threat actors have joined in for the feeding frenzy. CosmicSting campaigns use the flaw to grab secret Magento keys from installations and use them to generate tokens. These tokens give attackers unfettered access to the Magento API, and they are then free to make unauthorized changes to sites.

With Magecart attacks, it’s usually the case that whichever criminal manages to breach the site’s security first, they will lock out others so they can’t do the same. But Sansec’s forensic team said that the CosmicSting vulnerability doesn’t let them do this, which has led to, “…numerous groups fighting for control over the same store and evicting each other again and again.”

Sansec is fully expecting more stores to be hacked in the months ahead because “…as many as 75% of the Adobe Commerce and Magento install base hadn’t patched when the automated scanning for secret encryption keys started.”

Mitigation

Online merchants should upgrade to the latest version of Magento or Adobe Commerce without delay. They should also make sure that they rotate their secret encryption keys and make sure that their old keys are invalidated. They should also use robust malware detection software, and since Reflectiz is uniquely capable of discovering and neutralizing Magecart-style attacks, it should definitely be at the forefront of their defenses.

Conclusion

CosmicSting is a mass-hacking event that’s still unfolding in real time, which highlights the need for merchants to use server-side malware and vulnerability monitors combined with web threat management solutions like Reflectiz. Sign up today to keep your e-commerce store safe.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Related Articles

Is The TikTok Ban A Blow To Free Speech?
  • December 11, 2024
  • 7 min read

Is The TikTok Ban A Blow To Free Speech?

Year in Review: The Most Significant Cyberattacks of 2024
  • December 2, 2024
  • 8 min read

Year in Review: The Most Significant Cyberattacks of 2024

TikTok Pixel Privacy Nightmare: A New Case Study
  • November 25, 2024
  • 5 min read

TikTok Pixel Privacy Nightmare: A New Case Study

Open Source Security – Risks and Best Practices
  • November 18, 2024
  • 11 min read

Open Source Security – Risks and Best Practices

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free
linkedin twitter

All rights reserved 2024 © Reflectiz

Book a Demo

Book a Demo