Over the past three months, multiple threat actors have exploited a critical Adobe Commerce vulnerability to compromise more than 4,000 online stores, Sansec reports.

An improper restriction of XML external entity reference (XXE), the flaw is tracked as CVE-2024-34102 (CVSS score of 9.8) and was addressed as part of Adobe’s June 2024 Patch Tuesday updates.

In mid-July, Adobe released a hotfix for the bug, warning that it was exploited in limited attacks, and the US cybersecurity agency CISA added it to its Known Exploited Vulnerabilities (KEV) list.

Using crafted XML documents, attackers can exploit the security defect without user interaction to read any file from a vulnerable Adobe Commerce instance.

According to Sansec, which named the bug CosmicSting, typically attackers steal the secret crypt key that allows them to modify CMS blocks using the Magento API, and then steal customer data from the compromised stores.

“Combined with another bug (CVE-2024-2961), attackers can also run code directly on your servers and use that to install backdoors,” Sansec revealed in mid-September.

This week, the security firm warned that seven threat actors have been exploiting the vulnerability to hack 4,275 stores running Adobe Commerce and Magento iterations improperly protected against CosmicSting.

Overall, 5% of all Adobe Commerce and Magento stores have been injected with a payment skimmer on their checkout page over the past three months.

Relying on automation, the attackers stole thousands of secret crypt keys and, even if the stores were updated afterwards, the keys were not automatically invalidated, allowing the attackers to make unauthorized modifications, the security firm notes.

“Our research found seven distinct groups running large scale campaigns. Each group uses CosmicSting attacks to steal secret Magento cryptographic keys. This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process,” Sansec says.

The security firm also explains that, while the first threat actor to compromise a website attempts to secure it, other attackers would then exploit CosmicSting looking to take control over the same site. In some cases, Sansec observed three different groups attacking the same store.

Threat groups involved in these attacks include Bobry, Polyovki (has infected over 650 stores), Surki, Burunduki, Ondatry (previously hacked into over 4,000 stores by exploiting CVE-2022-24086), Khomyaki, and Belki.

Adobe Commerce and Magento store owners are advised to update their installations as soon as possible, to apply the additional mitigations that Adobe recommended in July, and to install a security product.

Related: Critical Zimbra Vulnerability Exploited One Day After PoC Release

Related: Two Years On, Log4Shell Vulnerability Still Being Exploited to Deploy Malware

Related: Adobe Patches ‘Critical’ Security Flaws in Illustrator, After Effects

Related: Adobe Acrobat Reader Shuns Security Products Due to Compatibility Issues