CosmicSting is one of the most serious threats to Magento and Adobe Commerce stores in recent years. We have seen numerous attacks on stores, occurring at a frequency of 3-5 per hour. CosmicSting, designated as CVE-2024-34102, allows attackers to access key files, including encrypted data and cryptographic keys.
Threat and Impact
Hackers gain access to the cryptographic key in the app/etc/env.php file, which allows them to modify CMS blocks via the Magento API and inject malicious JavaScript to steal customer data. In addition, using another vulnerability (CVE-2024-2961), they can run code on the server and install a backdoor, allowing long-term access to the system.
Stages of Attack
The first step of the CosmicSting attack is to acquire the encryption key, which is achieved by sending properly constructed requests to the Magento API. Next, using this key, the hackers create a JWT token, giving them unrestricted access to the Magento API. Finally, they modify existing CMS blocks, adding malicious scripts to them.
How to Protect Yourself?
1. System Update - Updating Adobe Commerce to the latest version is crucial to avoid cryptographic key theft.
2. Key Change - Even after upgrading, it is recommended to generate a new key and invalidate the old one. Adobe also provides special patches for those who cannot upgrade immediately.
Temporary Remedies
If updating is not possible, an alternative is to block requests to /v1/cmsBlock. This may limit hackers' activities, but does not provide full protection, as other API endpoints may still be exposed.
It's also worth implementing monitoring tools that detect unauthorized JavaScript, increasing the security of your Magento store.It's also possible to execute a Magento module that cleans up script code before CMS blocks are written and before they are displayed on the page.
Summary:
CosmicSting poses a serious threat that can have disastrous consequences for unprotected stores. All Magento and Adobe Commerce users should take immediate steps to update their system and protect their customers' data.