CosmicSting is one of the most serious threats to Magento and Adobe Commerce stores in recent years. We have observed numerous attacks on stores, occurring at a frequency of 3–5 per hour. CosmicSting, designated as CVE-2024-34102, allows attackers to access key files, including encrypted data and cryptographic keys.
Threat and Impact
Hackers gain access to the cryptographic key in the app/etc/env.php file, which allows them to modify CMS blocks via the Magento API and inject malicious JavaScript to steal customer data. In addition, by using another vulnerability (CVE-2024-2961), they can run code on the server and install a backdoor, enabling long-term access to the system.
Stages of the Attack
The first step of the CosmicSting attack is to obtain the encryption key, which is done by sending properly crafted requests to the Magento API. Next, using this key, hackers create a JWT token, giving them unrestricted access to the Magento API. Finally, they modify existing CMS blocks by adding malicious scripts to them.
How Can You Protect Yourself?
1. System Update - Updating Adobe Commerce to the latest version is crucial to avoid cryptographic key theft.
2. Key Rotation - Even after upgrading, it is recommended to generate a new key and invalidate the old one. Adobe also provides special patches for those who cannot upgrade immediately.
Temporary Workarounds
If updating is not possible, an alternative is to block requests to /v1/cmsBlock. This may limit hackers' activities, but it does not provide full protection, as other API endpoints may still be exposed.
It is also worth implementing monitoring tools that detect unauthorized JavaScript, increasing the security of your Magento store. It is also possible to run a Magento module that cleans script code before CMS blocks are saved and before they are displayed on the page.
Summary:
CosmicSting poses a serious threat that can have disastrous consequences for unprotected stores. All Magento and Adobe Commerce users should take immediate steps to update their system and protect their customers' data.