CosmicSting vulnerability exposes Adobe Commerce and Magento sites
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Active exploitation of high-severity flaw in SolarWinds Serv-U file transfer software
A high-severity flaw (CVE-2024-28995) in SolarWinds Serv-U file transfer software is being actively exploited, allowing unauthenticated attackers to read sensitive files on the host machine through a directory traversal vulnerability. Affecting all versions up to Serv-U 15.4.2 HF 1, the flaw enables attackers to access critical files if the file path is known.
Security researchers have described the exploit as trivial, with recorded attacks from China targeting files like /etc/passwd. GreyNoise reported opportunistic attacks on its honeypot servers, and the public disclosure has lowered the barrier for malicious actors. Users are urged to update to Serv-U version 15.4.2 HF 2 (15.4.2.157) and implement strong access controls, regularly check for updates, and monitor network traffic for unusual activity.
2. Critical ‘CosmicSting’ vulnerability leaves Adobe Commerce & Magento sites exposed
The recently discovered ‘CosmicSting’ vulnerability (CVE-2024-34102) affecting Adobe Commerce and Magento websites remains largely unpatched, posing significant risks. This critical flaw, the most severe in two years for these platforms, allows XML external entity injection (XXE) and remote code execution (RCE) when combined with the iconv bug in Linux. Despite its potential for catastrophic attacks, about 75% of affected websites have not applied the patch, making them highly exploitable.
Affected products include various versions of Adobe Commerce, Magento Open Source, and the Adobe Commerce Webhooks Plugin. Users are urged to immediately update to the patched versions of Adobe Commerce (2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9), Adobe Commerce Extended Support (2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8), Magento Open Source (2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9), and Adobe Commerce Webhooks Plugin (1.5.0).
3. Critical MOVEit Transfer flaw CVE-2024-5806 actively exploited by hackers
Threat actors are quickly exploiting a critical authentication bypass vulnerability in Progress MOVEit Transfer (CVE-2024-5806) just hours after its disclosure. This flaw, with a CVSS score of 9.1, affects versions 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2, allowing attackers to bypass authentication in the SFTP module used for secure file transfers.
Approximately 2,700 MOVEit Transfer instances are exposed on the internet, primarily in the US, UK, Germany, Canada, and the Netherlands. Progress has released fixes in versions 2023.0.11, 2023.1.6, and 2024.0.2, available on their portal, and urges customers to update immediately. MOVEit Cloud customers have already received automatic patches.
4. Chinese cybercriminals launch global espionage with SpiceRAT & SugarGh0st
A new threat actor named SneakyChef has been conducting an espionage campaign, dubbed Operation Diplomatic Specter, targeting government entities across Asia, Europe, the Middle East, and Africa since August 2023. Using spear-phishing tactics with lures posing as government documents, particularly from Ministries of Foreign Affairs, SneakyChef deploys SugarGh0st malware.
Recent attacks have expanded to include countries like Angola, India, and Saudi Arabia, utilizing sophisticated techniques such as Windows Shortcut (LNK) files, self-extracting RAR archives (SFX) and recently introduced SpiceRAT to deliver malware. Organizations are advised to update security patches, enhance email security, educate users on phishing awareness, segment networks, and deploy advanced endpoint protection to mitigate risks associated with these campaigns.
5. Evolving Rust-based P2PInfect botnet deploys crypto miners and ransomware
P2PInfect, a peer-to-peer botnet initially targeting MIPS and ARM architectures, has evolved into a sophisticated threat using Redis server vulnerabilities to propagate ransomware and cryptocurrency miners. Managed via a decentralized mesh network, P2PInfect spreads by exploiting Redis servers, using a gossip protocol to distribute updated binaries across its network.
Recent updates include deploying miner and ransomware payloads, targeting low-value victims with a modest ransom demand of 1 XMR (~$165). The botnet also employs an SSH password sprayer and usermode rootkit to secure and expand its foothold. Organizations should secure Redis servers, regularly update systems, and monitor network traffic to detect and mitigate botnet activity.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.