Summary:
A critical XML external entity reference (XXE) vulnerability, tracked as CVE-2024-34102, has been exploited to compromise five percent of Adobe Commerce and Magento stores. This vulnerability, dubbed CosmicSting, has been exploited by malicious actors to gain remote code execution on vulnerable systems. The flaw was patched by Adobe on June 27th, 2024, but widespread exploitation has continued. Sansec research discovered seven different groups running large-scale campaigns utilizing this CosmicSting vulnerability.

The vulnerability has been used by threat actors to steal Magento's secret encryption key, which is then used to generate JSON Web Tokens (JWTs) with full administrative API access. This allows attackers to inject malicious scripts into the e-commerce sites. When Adobe issued a critical severity rating on July 8th, automated attacks had already begun and thousands of secret crypt keys had been stolen. When stores updated their systems, existing secret keys were not invalidated automatically, leaving the stores vulnerable to unauthorized modifications. To mitigate this threat, site owners should not only apply the latest patch but also rotate their encryption keys. Recent attacks in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the GNU C library, to achieve remote code execution. This escalation allows attackers to take full control of the compromised system. The ultimate goal of these attacks is to establish persistent access and steal payment data from users.

Security Officer Comments:
The exploitation of CosmicSting highlights the ongoing threat posed by unpatched instances of software. Despite the availability of a patch, many organizations have failed to implement it fully and promptly, leaving their systems vulnerable to attack. The widespread use of this vulnerability by multiple threat groups underscores the importance of maintaining a resilient security posture, staying up-to-date with the latest security advisories, and properly implementing fixes where applicable. Organizations using Adobe Commerce or Magento should prioritize applying the patch for CVE-2024-34102 and rotating their encryption keys. Additionally, implementing network segmentation practices and intrusion detection systems can help mitigate the risk of exploitation. Sansec projects that more stores will get hacked in the coming months, as 75% of the Adobe Commerce & Magento install base hadn't been patched when the automated scanning for secret encryption keys started.

Suggested Corrections:
IOCs for CosmicSting attacks are published here.

Recommendations on How To Fix from Sansec

1. Prevent attackers from stealing your crypt key. This requires installation of the latest Adobe Commerce version because this vulnerability was patched in June 2024.
2. Assume your old crypt key has been stolen already, so make sure nobody can abuse it. This involves generating a new key and invalidate the old one.

The recommended solution is to upgrade your installation to the latest version (2.4.7-p2). However, this upgrade includes several functional changes such as strict CSP, which may break your checkout flow.

If you cannot upgrade, the second best solution is to apply the isolated patch as provided by Adobe.

After upgrading your system, you should rotate your crypt keys as described here. Note that secrets encrypted with the old key are not automatically re-encrypted with the new key. To automate this, Luke Rodgers at GENE Commerce provides a helpful module.

Stop-gap Fix
If you cannot do any of the above in the short term, then you can implement an emergency measure of blocking all requests to the CMS block API (/v1/cmsBlock). This would solve the immediate issue of the attackers updating CMS blocks, but you would be far from safe. Attackers can still:

1. Read any file on your server, which means they will keep stealing your (new) encryption keys.
2. Use any other REST endpoint for malicious purposes. For example, steal your customer's PII data via orders endpoint.
3. In worst case, they gain remote code execution by chaining with other exploits

Link(s):
https://thehackernews.com/2024/10/alert-adobe-commerce-and-magento-stores.html

https://sansec.io/research/cosmicsting-fallout

https://sansec.io/research/cosmicsting

https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md