In the wild west of cybersecurity, where every day feels like a new threat is lurking behind your latest software update, CosmicSting (CVE-2024-34102) has made its mark—big time. If you’re an Adobe Commerce or Magento merchant, you might want to sit down for this one because what you don’t know about CosmicSting might already be draining your bank account or exposing your customers’ data. (Fun, right?)
This beast of a bug, also known as CVE-2024-34102, started rearing its ugly head back in June 2024, and since then, it has grown into a full-blown crisis. How big? Try thousands of online stores hacked, major brand names compromised, and a motley crew of cybercriminal groups battling each other for dominance over hijacked websites. It’s the kind of high-stakes drama that should be reserved for action films, except this is the real world, and it’s your business on the line.
Credit where credit’s due—shout out to the folks at Sansec for sounding the alarm on this one. Their deep dive into the carnage left behind by CosmicSting gives us a front-row seat to the mayhem. If you haven’t read it yet, do yourself a favor and check out Sansec’s full report on the CosmicSting attack. Spoiler alert: it’s not pretty, but it’s essential reading if you want to survive this storm.
Now, let’s dig deeper into how CosmicSting came to wreak havoc and what you can do to stop it from burning down your digital empire.
The Cosmic Sting: Not Just Another Vulnerability
So, what exactly is CosmicSting? In short, it’s a critical vulnerability that allows attackers to access files on your Adobe Commerce or Magento servers. Specifically, it lets them read sensitive data like your encryption keys from a file called env.php. Once they’ve got their grubby hands on that key, they can manipulate your CMS blocks through the Magento API, inject malicious JavaScript, and essentially take over your website. Think of it as handing them the keys to your entire kingdom. They don’t even have to break a sweat.
The scale of the attack is unprecedented. According to Sansec’s research, merchants were getting hacked at a rate of three to five stores per hour during the height of the CosmicSting attack campaign. It’s like a cybercrime bonanza out there, with your data as the grand prize.
Who’s at Risk?
Anyone running Adobe Commerce or Magento versions below 2.4.7—or more specifically, any store that hasn’t patched up by June 25th, 2024—is at risk. If that’s you, it’s time to face the music. Even if you updated after that fateful date, there’s still a strong chance that your old cryptographic keys were stolen. Those keys need to be rotated (like, now) because hackers could still use them to wreak havoc on your store.
CosmicSting has been rated with a CVSS score of 9.8 out of 10, making it a near-catastrophic bug. If that number doesn’t send shivers down your spine, I don’t know what will.
Multiple Attackers, One Big Mess
Here’s where things get especially interesting—if by “interesting” you mean “downright terrifying.” CosmicSting isn’t just a one-and-done attack where a single hacker gets in and wrecks your site. No, this is the kind of bug that attracts attention from multiple cybercrime groups. Sansec identified at least seven distinct groups running large-scale campaigns using CosmicSting. And they’re not exactly playing nice with each other.
In fact, the CosmicSting vulnerability is so juicy that rival cybercriminals are fighting for control over infected stores. Sometimes, as many as three different groups are battling it out on the same site, repeatedly evicting each other like rival gangs fighting over territory. Your store, in this scenario, is their battleground. And who loses? You and your customers.
Meet the Gangs
Each of the seven groups exploiting CosmicSting has its own unique attack method, and while they may be different in execution, their goals are the same—profit from your pain. Here’s a quick rundown of the players:
- Group Ondatry: Known for targeting high-profile stores, Ondatry customizes their malware to integrate seamlessly with the victim’s payment solution. Whether it’s PayPal, MultiSafePay, or another service, they’ve got you covered (or, more accurately, they’ve got you compromised). If you’re running a large multi-country operation, you’re their ideal target.
- Group Polyovki: These guys are less sophisticated but highly prolific. They’ve managed to infect over 650 stores using a simple script injection from cdnstatics.net. If you’ve ever shopped at Ray-Ban or similar retailers, you’ve likely been served a Polyovki special.
- Group Bobry: Experts in hiding in plain sight, Bobry uses whitespace encoding to inject malware that’s nearly impossible to detect visually. They convert invisible Unicode characters into executable Javascript—sneaky, right? It’s like they’ve mastered the art of being there but not being seen.
- Group Burunduki: Real-time data interception is Burunduki’s game. They use custom websocket sniffers to read dynamic skimmer code from your checkout pages. Real-time, real dangerous.
- Group Surki: These attackers have a flair for the cryptic, using the number 42 and XOR encoding for their payloads. Their malware delivery methods are quirky, to say the least, but no less destructive.
- Group Khomyaki: Minimalist and brutal, Khomyaki’s attacks revolve around two-character URIs like app.chwine.dev/us/ and cdn.myshopper.io/bo/. If you notice odd paths like these in your server logs, it’s probably too late.
- Group Belki: Belki is arguably the most dangerous of the lot, leveraging both CosmicSting and the CNEXT vulnerability (CVE-2024-2961) to execute remote code on your server. Backdoors with names like [slub_flushwq] and [netns]? Yeah, that’s Belki.
The Timeline of Destruction
The saga of CosmicSting began on June 11th, 2024, when Adobe first released a patch to fix the vulnerability. At the time, the severity of the bug was rated relatively low. Unfortunately, by June 23rd, the internet was flooded with reports of mass CosmicSting attacks. Hackers weren’t just taking advantage of the vulnerability—they were automating their attacks. Within days, over 4,275 stores were compromised.
By June 26th, exploit kits had made their way to GitHub, further fueling the chaos. But the real kicker? Even after merchants began patching their systems, many failed to rotate their cryptographic keys. This left them exposed to ongoing attacks, even with the updates in place.
How to Protect Yourself
Now that we’ve sufficiently scared you, let’s talk about how to avoid becoming the next victim of CosmicSting. The good news? There are steps you can take to protect your store, but they require immediate action.
- Patch Like You Mean It: Seriously, if you haven’t already updated to the latest version of Adobe Commerce or Magento, stop what you’re doing and do it right now. Here’s the patch you need from Adobe. Don’t procrastinate—this is one update you can’t afford to skip.
- Rotate Your Cryptographic Keys: It’s not enough to just update your software. You also need to rotate your cryptographic keys and invalidate the old ones. If you skip this step, you’re still leaving the door wide open for attackers.
- Monitor for Malicious Scripts: Keep an eye out for unauthorized JavaScript on your site by implementing a Content Security Policy (CSP) monitoring tool. Sansec Watch is a great option—it’s free, integrates well with Magento, and might just save your store.
- Block the CMS Block API: As a short-term fix, you can block access to the CMS Block API. This will prevent attackers from updating CMS blocks with malicious code, but it’s only a temporary measure. Long-term, you’ll need a full system update and key rotation.
FAQs
What is CosmicSting?
CosmicSting (CVE-2024-34102) is a critical vulnerability in Adobe Commerce and Magento that allows attackers to steal cryptographic keys, modify CMS blocks, and inject malicious JavaScript into stores.
How are attackers exploiting CosmicSting?
Attackers use the CosmicSting vulnerability to steal encryption keys, generate API tokens, and gain unauthorized access to the store’s back-end systems, where they can manipulate content and steal customer data.
Why are multiple groups targeting the same stores?
CosmicSting is such a valuable exploit that it’s attracting attention from multiple cybercrime groups. They’re fighting each other for control over compromised stores, leading to a chaotic situation where multiple attackers are competing for the same target.
How can I protect my store from CosmicSting?
To protect your store, update to the latest version of Adobe Commerce or Magento, rotate your cryptographic keys, and monitor for malicious scripts using a CSP tool. Additionally, block access to the CMS Block API to prevent immediate attacks.
Are there any long-term solutions to prevent future attacks like CosmicSting?
Beyond patching and key rotation, merchants should implement comprehensive security measures, including regular malware scanning, vulnerability monitoring, and active threat detection. Prevention is the best defense against future attacks.
Time to Take Action: Secure Your Store Today
CosmicSting isn’t going away anytime soon, and as new vulnerabilities are discovered, cybercriminals will continue to adapt their tactics. But you can stay ahead of the game by being proactive. Patch your software, rotate those keys, and keep a close eye on your systems. The future of your business depends on it.
Have you or your business been impacted by CosmicSting? Share your experiences in the comments below, and let’s learn from each other. And don’t forget to subscribe to Guardians of Cyber for more cybersecurity insights and tips to keep your business secure.
