- About 5% of all Adobe Commerce and Magento stores experienced the installation of payment skimmers during the summer months.
- Despite consistent warnings, many e-commerce businesses failed to take timely action, and as a result, they became unwitting victims of these cybercriminal schemes.
- Sansec projects that many more stores will fall victim to similar attacks.
The hacking campaign targeting prominent brands such as Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway underscores the critical security vulnerabilities within e-commerce platforms, specifically Adobe Commerce and Magento.
According to the Sansec Forensics Team, attackers have exploited a severe flaw known as the Improper Restriction of XML External Entity Reference (XXE), termed “CosmicSting,” leading to breaches of over 4,275 online stores.
The vulnerability, which has been assigned a severity score of 9.8 out of 10 by the National Institute of Standards and Technology (NIST), allows for arbitrary code execution with no user interaction, thereby posing an immense risk to merchants and their customers.
Deploying web skimmers
The ramifications of the CosmicSting vulnerability are significant. Malwarebytes noted that attackers have been deploying web skimmers on compromised Magento sites, facilitating the real-time theft of customers’ payment information.
Alarmingly, nearly five per cent of all Adobe Commerce and Magento stores experienced the installation of payment skimmers during the summer months, a statistic that highlights the critical need for vigilance among merchants.
Despite consistent warnings, many e-commerce businesses failed to take timely action, and as a result, they became unwitting victims of these cybercriminal schemes.
Adobe’s disclosure of the vulnerability on July 8th coincided with the onset of automated attacks, during which numerous secret keys were extracted.
Although installing security updates can mitigate the threat, the Sansec researchers indicated that merely updating systems does not automatically invalidate existing secret keys, thus leaving stores vulnerable to unauthorised modifications.
Links with Russia
Adobe subsequently released guidance for rotating encryption keys, emphasising the necessity for proactive security measures.
Furthermore, the emergence of at least seven distinct threat groups competing for control over compromised stores exemplifies the chaotic nature of this cyber threat.
These groups, whose names are rooted in Russian terms for various rodents, suggest a potential linkage to Russian-speaking cybercriminal organisations.
The competition not only heightens the risk for affected merchants but also complicates the landscape of cybercrime, as multiple factions vie for dominance over each targeted store.
The ongoing threat remains palpable, with Sansec projecting that many more stores will fall victim to similar attacks. With approximately 75 per cent of the Adobe Commerce and Magento install base reportedly unpatched at the time when secret encryption key scanning commenced, the potential for widespread compromise is significant.
It is imperative for merchants to adopt a proactive stance in their cybersecurity measures, including timely updates of software and key rotations, to mitigate the risks posed by vulnerabilities like CosmicSting.