CosmicSting (CVE-2024-34102) Vulnerability Under Active Exploitation

In a concerning development for e-commerce security, threat actors are actively exploiting a critical vulnerability in Adobe Commerce and Magento platforms, dubbed “CosmicSting”. Even though the vulnerability was detected earlier, the market saw a wave of attacks targeting online stores globally.

You can protect your business from the dangers lurking in the hidden corners of the internet. SOCRadar’s Advanced Dark Web Monitoring feature offers real-time monitoring capabilities, tracking Personal Identifiable Information (PII) exposures, and identifying threat actors and malicious activities. You will know if threat actors are talking about you.

SOCRadar Advanced Dark Web Monitoring service

Understanding the Threat

The vulnerability affects multiple versions of Adobe Commerce, including:
– Version 2.4.7 and earlier
– Version 2.4.6-p5 and earlier
– Version 2.4.5-p7 and earlier
– Version 2.4.4-p8 and earlier

According to findings by Sansec, threat actors are compromising stores at an alarming rate of 3-5 per hour. The attack vector is particularly concerning as it requires no user interaction, making it highly dangerous for unprotected systems.

The situation has escalated rapidly since Adobe’s initial disclosure. Within just 15 days, mass scanning operations were launched, targeting Adobe Commerce stores worldwide. Of particular concern is that any store that failed to upgrade before June 25th likely had its secret keys compromised, leaving them vulnerable to ongoing attacks.

CosmicSting refers to CVE-2024-34102, which is a vulnerability in Adobe Commerce and Magento software that allows for page manipulation and stealthy user data exfiltration.

Understanding the current cyber landscape is key to strengthening your defenses. With SOCRadar’s Vulnerability Intelligence, gain valuable insights into which vulnerabilities are being actively exploited.

SOCRadar Vulnerability Intelligence

According to NVD, Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

The ongoing cyber-heists that take advantage of CosmicSting are allegedly being carried out by at least seven cybercrime organizations. According to recent research released by Sansec, 4,275 merchants that use Commerce and Magento to handle their online stores were targeted by threat actors throughout the course of the summer.

Apparently, that represents 5% of all Magento and Adobe Commerce stores which ended up with a payment skimmer on their checkout page, despite the ongoing warnings.

According to Sansec, thousands of private crypto keys had been taken, and automated attacks had already started when Adobe rated the threat as critical on July 8. The stores were susceptible to illegal alterations because the secret keys were not automatically expired when the stores changed their systems. Adobe published instructions on how to manually delete outdated keys, but not everyone followed them.

Mitigation Strategies for CosmicSting

It is highly recommended that stores update to the most recent version of Adobe Commerce or Magento. They should also rotate secret encryption keys and ensure that old keys are invalid. You can visit here for complete instructions.

SOCRadar’s Attack Surface Management (ASM) module identifies exposed digital assets, helping you understand potential entry points and gain critical insights for patch management. Continuously monitor for risks and take proactive measures to reduce your attack surface.