2 October 2024

Cybercriminals hack 5% of Adobe Commerce and Magento stores in CosmicSting attack


Cybercriminals hack 5% of Adobe Commerce and Magento stores in CosmicSting attack

Nearly 5% of all Adobe Commerce and Magento stores have fallen victim to a malicious campaign dubbed "CosmicSting," according to a new report from Dutch cybersecurity firm Sansec. Among the victims are well-known brands such as Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway. This widespread attack, targeting thousands of e-commerce platforms, has compromised sensitive customer data and infected checkout pages with payment skimming malware.

Sansec identified seven distinct hacker groups that have been exploiting the CosmicSting XML External Entity injection vulnerability (CVE-2024-34102) to infiltrate 4,275 online stores since June 2024.

On July 8, Adobe issued a critical severity rating for the CosmicSting vulnerability, urging online retailers to update their systems. However, automated attacks had already begun, and many stores had already been compromised. Even after merchants updated their platforms, existing secret cryptographic keys were not automatically invalidated, which left stores exposed to unauthorized access.

Adobe released a detailed guide on how to manually remove old secret cryptographic keys to close the vulnerability.

The attackers have leveraged these stolen cryptographic keys to generate API authorization tokens, allowing them to access sensitive customer data and modify store functionality. One of their primary tactics has been injecting payment skimmers into the checkout process, specifically through ‘CMS blocks’ in the Magento platform.

Sansec researchers discovered that attackers were using the Magento REST API to carry out these modifications, enabling them to insert malicious scripts that intercepted payment information. In some cases, multiple hacker groups targeted the same store simultaneously.

Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024