Adobe Commerce and Magento stores facing attack from dangerous malware

Crooks are stealing credit card data from affected sites

· TechRadar

News By Sead Fadilpašić published 3 October 2024

(Image credit: Magento)

Some of the world’s most popular ecommerce platforms were carrying vulnerabilities that allowed threat actors to run code remotely, deploy malware, and even steal payment information from the customers, experts have warned.

Countless websites using Adobe Commerce and Magento platforms have already been compromised, including heavyweights such as Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, cybersecurity researchers Sansec have claimed.

They claim roughly 5% of all websites powered by these platforms have already been hacked by the vulnerability, dubbed “CosmicSting”, with up to five new ones being added every hour in what they claim is the “worst bug” to hit the two platforms in years.

Chaining flaws

The vulnerability, tracked as CVE-2024-34102 with a severity score of 9.8/10 (critical), is described as “improper restriction of XML external entity reference (XXE)” flaw.

The patch for the flaw was released in June 2024, while CISA added it to its KEV catalog in July, however newer attacks, observed from August onward, were chaining CosmicSting with a vulnerability called CNEXT, and tracked as CVE-2024-2961. Together, these two bugs grant the attackers the ability to run code remotely, and essentially take over the entire system.

The researchers identified at least seven groups that were taking advantage of these vulnerabilities. The groups are not exactly household names in the cybercriminal community - Bobry, Polyovki, Surki, Burunduki, Ondatry, Khomyaki, and Belki. Regardless of their status, they are still a formidable foe, since at least one used CosmicSting with CNEXT to plant skimmer malware to the victim websites.

Skimmers work by stealing payment information during the checkout process, and sending it to the attackers. Crooks can either sell the credit card data on the black market, or use it to fund additional campaigns. Every now and then, we see ad campaigns on Google, Facebook, and elsewhere, promoting malicious websites and programs, and the majority of those campaigns are funded like this.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors