Nearly 5% of all Adobe Commerce and Magento stores have fallen victim to a malicious campaign dubbed "CosmicSting," according to a new report from Dutch cybersecurity firm Sansec. Among the victims are well-known brands such as Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway. This widespread attack, targeting thousands of e-commerce platforms, has compromised sensitive customer data and infected checkout pages with payment skimming malware.

Sansec identified seven distinct hacker groups that have been exploiting the CosmicSting XML External Entity injection vulnerability (CVE-2024-34102) to infiltrate 4,275 online stores since June 2024.

On July 8, Adobe issued a critical severity rating for the CosmicSting vulnerability, urging online retailers to update their systems. However, automated attacks had already begun, and many stores had already been compromised. Even after merchants updated their platforms, existing secret cryptographic keys were not automatically invalidated, which left stores exposed to unauthorized access.

Adobe released a detailed guide on how to manually remove old secret cryptographic keys to close the vulnerability.

The attackers have leveraged these stolen cryptographic keys to generate API authorization tokens, allowing them to access sensitive customer data and modify store functionality. One of their primary tactics has been injecting payment skimmers into the checkout process, specifically through ‘CMS blocks’ in the Magento platform.

Sansec researchers discovered that attackers were using the Magento REST API to carry out these modifications, enabling them to insert malicious scripts that intercepted payment information. In some cases, multiple hacker groups targeted the same store simultaneously.