Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway are among the victims of a hacking campaign targeting merchants. The Sansec Forensics Team reported that attackers have already breached 4,275 online stores by exploiting a critical vulnerability affecting Adobe Commerce and Magento software.
Seven distinct threat actors are already profiting from an Improper Restriction of XML External Entity Reference ('XXE') vulnerability dubbed “CosmicSting,” which affects unpatched Adome Commerce and Magento versions.
According to NIST, this vulnerability, with a severity score of 9.8 out of 10, results in arbitrary code execution without user interaction when the attacker sends a crafted XML document that references external entities.
Malwarebytes warned in August that attackers plant web skimmers on hundreds of websites running the Magento e-commerce software, scraping customers’ payment information in real-time. It was impossible for website users to recognize the compromise.
“Despite ongoing warnings, five percent of all Adobe Commerce and Magento stores ended up with a payment skimmer on their checkout page this summer. Sansec has reached out to all 4275 merchants with remediation instructions,” the new report reads.
Adobe disclosed the bug on July 8th, when automated attacks on storefronts had already begun and thousands of secret keys had been stolen. Installing a security update can mitigate the vulnerability.
However, Sansec researchers noted that when stores updated their systems, existing secret keys were not automatically invalidated, leaving them vulnerable to unauthorized modifications. Adobe then issued a guide for encryption key rotation.
Now, at least seven distinct threat groups are battling to compromise the affected stores: Bobry, Polyovki, Surki, Burunduki, Ondatry, Khomyaki, and Belki. All those names are Russian words for various rodents, suggesting a connection to Russian-speaking cybercriminal communities.
“Usually, the first hacker to break into a site will secure it to keep others out. However, the CosmicSting vulnerability prevents this, leading to multiple groups fighting for control over the same store and evicting each other again and again,” the report notes.
Sansec warns that many more stores will get hacked, as “75% of the Adobe Commerce and Magento install base hadn't patched when the automated scanning for secret encryption keys started.”
Your email address will not be published. Required fields are markedmarked