CosmicSting Attacks Escalate with Persistent Code Execution Backdoors

Sansec's Forensics Team has reported a significant escalation in the ongoing CosmicSting attacks, which are now chaining with the CNEXT vulnerability to enable remote code execution (RCE) on unpatched Adobe Commerce systems.

This attack, which was initially observed in the wild earlier this summer, has evolved from script injections into CMS blocks to persistent backdoors, allowing attackers to maintain covert control over compromised systems.

CosmicSting evolution

CosmicSting (CVE-2024-34102) was first identified by a researcher known as Spacewasp, who highlighted its potential to cause widespread damage across the e-commerce landscape. The vulnerability affects an alarming 75% of Adobe Commerce and Magento stores and allows threat actors to read arbitrary files from the compromised systems. Despite the release of a critical security patch in June, only 25% of affected sites have applied the update, leaving the majority of stores vulnerable to exploitation.

Sansec initially warned about the CosmicSting vulnerability's capacity to steal sensitive data, including encryption keys used for generating administrative JSON Web Tokens (JWTs). These tokens could then be utilized to hijack stores, inject malicious code into CMS blocks, and execute fraudulent transactions. The attacks were immediately severe, with major international brands reporting breaches within days of the vulnerability's discovery.

New attack vector

In the latest development, attackers have begun chaining CosmicSting with another critical vulnerability, CNEXT (CVE-2024-2961). This combination enables attackers to escalate from arbitrary file reading to full remote code execution, allowing them to take over entire systems. Once control is gained, threat actors can deploy persistent backdoors that are difficult to detect and remove.

Logs analyzed by Sansec reveal repeated attempts to exploit this vulnerability, with attackers using the same default test-ambio cart ID from a previous Ambionics exploit. Despite the 4xx and 5xx HTTP status codes returned by the server, Sansec notes that successful exploitation can still occur, underscoring the need for immediate patching.

Once the attackers establish a foothold, they deploy two malicious files in the ~/.config/htop directory: defunct and defunct.dat. These files are part of a sophisticated backdoor mechanism, which includes a crontab entry that runs hourly to ensure the backdoor remains active. The backdoor process, masquerading as a kernel thread, uses gsocket—a toolkit that enables peer-to-peer TCP connections through firewalls, with support for TOR to enhance the attackers' anonymity.

Additionally, Sansec has identified a new attack vector where WebSocket scripts are injected into the store's header. These scripts establish a connection to attacker-controlled servers, allowing real-time execution of malicious JavaScript on the compromised site. The attackers can dynamically adapt their payloads, making detection and mitigation particularly challenging.

Recommendations

Sansec has provided several indicators of compromise (IOCs), including specific WebSocket domains and IP addresses associated with these attacks:

• WebSocket Domains: wss://accept.bar/common, wss://amocha.xyz/common, wss://cdn-webstats.com/ls, wss://clearnetfab.net/common, wss://fallodick87-78.sbs/common, wss://cd.iconstaff.top/m, wss://cdn.iconstaff.top/common, wss://cdn.inspectdlet.net/ws, wss://jqueryuslibs.com/common, wss://jstatic201.com/common, wss://lererikal.org/common, wss://mamatmavali.ru/common, wss://nothingillegal.bond/common, wss://paie-locli.com/s, wss://sellerstat.site/wss, wss://statsseo.com/common, wss://statstoday.org/common, wss://vincaolet.xyz/socket, wss://webexcelsior.org/common
• IP Addresses: 165.231.182.98, 193.93.193.74, 45.10.160.45

Website owners and administrators should add the above to their blocklists to thwart attacks.

Adobe Commerce and Magento users should apply the latest patches without further delay. In addition, merchants are advised to change their encryption keys, set up database trigger logs, and monitor CMS blocks for unauthorized modifications.