Category | Details |
---|---|
Threat Actors | Not explicitly mentioned. |
Campaign Overview | Exploits “CosmicSting” vulnerability (CVE-2024-34102) in Adobe Commerce and Magento, targeting e-commerce platforms globally. |
Target Regions | Global (affects over 140,000 Magento instances worldwide). |
Methodology | Exploits unauthenticated XML External Entity (XXE) vulnerability via REST API endpoints, enabling sensitive file access and potential RCE. |
Product Targeted | Adobe Commerce and Magento Open Source versions before 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9. |
Malware Reference | Potential injection of malicious “eskimmer” JavaScript to scrape form data and exfiltrate it to attacker-controlled domains. |
Tools Used | Proof-of-concept exploits, Snort IDS/IPS, Splunk queries, Tetragon eBPF observability agent, synthetic transaction monitoring tools. |
Vulnerabilities | CVE-2024-34102 (CVSS 9.8), XXE vulnerability triggered via nested deserialization and unsafe XML entity handling. |
TTPs | – Crafting malicious JSON payloads – Exploiting REST API endpoints – Chaining with other issues for RCE – Exfiltration of sensitive files (e.g., /etc/passwd). |
Attribution | No explicit attribution mentioned. |
Recommendations | – Apply latest patches. – Implement WAF rules. – Use network segmentation. – Conduct security audits. – Monitor logs. – Enforce least privilege. |
Source | Splunk |
Read full article: https://www.splunk.com/en_us/blog/security/cosmicsting-a-critical-xxe-vulnerability-in-adobe-commerce-and-magento.html
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply