4,387 Online Merchants Compromised, Including Cisco and National Geographic Stores

Thousands of online stores running Adobe Commerce and Magento software have been hacked starting this summer and infected with digital payment skimmers.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Attackers have been exploiting now-patched flaws in both software platforms tracked as CVE-2024-34102, aka CosmicSting, to steal credentials, said Sansec, an Amsterdam firm that helps merchants secure their online stores (see: E-Commerce Shops: 12% Are Publicly Exposing Private Backups).

When combined with another now-patched flaw in the software - tracked as CVE-2024-2961 - attackers can also "run code directly on your servers and use that to install backdoors," it said.

Sansec data showed that as of Tuesday, 5% of all Adobe Commerce and Magento Stores - comprising more than 4,300 victims - have been exploited using CosmicSting. High-profile victims of CosmicSting include Cisco, National Geographic, Ray Ban, Segway and Whirlpool.

"Even sites that have patched can still be vulnerable if they haven't manually invalidated their secret crypt keys," said Willem de Groot, founder and director of threat research at Sansec.

At least seven different groups or criminals since June 23 have used CosmicSting to collectively hack 4,387 online merchants' Adobe Commerce and Magento shops, Sansec said. The company has notified compromised merchants and shared remediation instructions.

Adobe Commerce and the PHP-coded Magento open source e-commerce platform on which it's based - Adobe bought Magento in 2018 for $1.7 billion - are collectively among the most popular types of software for running online stores, with more than 130,000 live instances collectively processing an estimated $155 billion in transactions annually.

Automated, mass hacks by CosmicSting-wielding attackers began July 12, when Sansec recorded three to five online stores getting hacked per hour. "The rate has slowed to about one to two per hour in the last seven days," de Groot told Information Security Media Group.

"Each group uses CosmicSting attacks to steal secret Magento cryptographic keys," Sansec said. "This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through 'CMS blocks.'" The firm warned that the tranche of keys stolen - many in the July mass attacks - can continue to be used until organizations forcibly invalidate them.

Attackers regularly seek to subvert e-commerce software platforms by finding vulnerabilities or misconfigurations that allow them to inject malicious software known as payment skimmers or digital skimmers that's designed to quietly steal payment card data and other sensitive customer information.

Some victims have been hacked multiple times. "Usually, the first hacker to break into a site will secure it to keep others out," Sansec said. "The CosmicSting vulnerability prevents this, leading to multiple groups fighting for control over the same store and evicting each other again and again."

Of the at least seven different groups exploiting CosmicSting using automated tools, one that Sansec tracks as "Ondatry" has a history of customizing its malware to make it appear to be a piece of legitimate merchant software. It appears to have hacked 623 stores, many of which are "larger merchants with multiple country stores," Sansec said. "Stolen data is usually exfiltrated to compromised smaller stores, that presumably proxy the data to the final destination."

Security researcher Sergey Temnikov discovered CosmicSting and submitted it to bug bounty program HackerOne on Dec. 20, 2023, which alerted Adobe on Jan. 8. The company awarded Temnikov $9,000 as a bug bounty on May 21.

On June 11, Adobe released a security update that fixes the flaw in multiple versions of Adobe Commerce, including version 2.4.7 and earlier, and Magento Open Source - on which the former is based - as well as Adobe Commerce Webhooks Plugin. At the time, Adobe said that the vulnerability "has been exploited in the wild in limited attacks targeting Adobe Commerce merchants."

Adobe said the flaw has a CVSS score of 9.8 out of 10, making it "critical," and that attackers need no authentication or admin-level privileges to exploit the vulnerability. "An attacker could exploit this vulnerability by sending a crafted XML document that references external entities," said the U.S. National Vulnerability Database. "Exploitation of this issue does not require user interaction."

One week post-patch, on June 18, Sansec counted only a quarter of vulnerable Adobe Commerce stores having yet installed the security fix. The firm also warned users to be sure to "rotate your crypt keys" after upgrading, since "secrets encrypted with the old key are not automatically re-encrypted with the new key," meaning "the stolen encryption key still allows attackers to generate web tokens even after upgrading."

For users who couldn't immediately update to a new version of the software, Adobe on June 27 released a stand-alone patch they could temporarily install. On Aug. 21, Adobe released a hotfix to help disable all old encryption keys, which attackers could otherwise continue to exploit.

Unfortunately, that process - while detailed by Adobe - "is a complex and error-prone task," de Groot said. "We can't tell if people have actually done that, but we suspect that many keys have been stolen and not invalidated yet."