Cybercriminals exploited the CosmicSting vulnerability (CVE-2024-34102) to compromise over 5% of all Adobe Commerce and Magento stores this summer. Seven distinct threat groups leveraged this vulnerability to inject malicious code into these online stores, resulting in payment skimmer installations on checkout pages.
Notable victims include Ray Ban, National Geographic, Cisco, Whirlpool, and Segway. Despite ongoing warnings and security advisories, these attacks continued unabated, highlighting the urgency of addressing this vulnerability and implementing robust security measures to protect online businesses.
Adobe’s critical severity rating on July 8th triggered automated attacks that exploited a vulnerability in Magento stores. Thousands of secret crypt keys were stolen, allowing attackers to access private customer data and insert payment skimmers.
Despite Adobe’s guidance on manually removing old keys, many stores remained vulnerable due to existing keys not being invalidated automatically, which led to multiple groups fighting for control over the same store, repeatedly evicting each other and causing significant disruption.
Researchers identified different malware loaders used in CosmicSting attacks, where Group Bobry uses whitespace encoding to hide a script that retrieves a payment skimmer from a specific domain based on the compromised website’s URL.
Group Polyovki injects a malicious script from a central domain, while Group Surki employs a more complex loader that leverages an answer-of-life function, obfuscation with the number 42, and a unique domain for payload delivery.
These loaders illustrate a variety of methods that cybercriminals employ in order to bypass security measures and inject malicious code into Magento stores.
Malicious actors are exploiting the CosmicSting vulnerability to inject skimmer code as Group Burunduki uses a custom port websocket sniffer (wss://jgueurystatic.xyz:8101) to deliver JavaScript that injects dynamic skimmer code.
Group Ondatry focuses on larger merchants and builds custom malware that mimics legitimate payment forms (e.g., MultiSafePay) by potentially leveraging obfuscation techniques where encoded strings are decoded and used to construct a malicious script that is then executed.
Stolen data might be exfiltrated through compromised stores acting as proxies, where Group Khomyaki uses the exploit to steal payment information and exfiltrates it to domains with a two-letter URI extension (like “.za/”) by targeting high-value stores, while Group Belki uses a combination of CosmicSting and CNEXT exploits to achieve remote code execution on the server.
They hide backdoors in system files and processes with seemingly harmless names. Both groups aim to steal customer payment information, with Group Belki potentially using skimming malware similar to another attacker group (Surki).
According to Sansec research, the recent ComicSting mass-hack targeted merchants using outdated Magento or Adobe Commerce platforms with unrotated secret encryption keys.
To prevent future attacks, merchants are urged to update their platforms, rotate encryption keys regularly, and implement server-side malware and vulnerability monitoring tools like Sansec’s eComscan.
 to compromise over 5% of all Adobe Commerce and Magento stores this summer.){kind=link}