Cisco merch shoppers stung in Magecart attack

The 'security issue' was caused by a 9.8-rated Magento flaw Adobe patched back in June

Bad news for anyone who purchased a Cisco hoodie earlier this month: Suspected Russia-based attackers injected data-stealing JavaScript into the networking giant's online store selling Cisco-branded merch.

Cisco has since fixed the issue caused by a flaw in Adobe's Magento platform, which could have allowed crooks to steal shoppers' credit card details and other sensitive information at checkout.

"A Cisco-branded merchandise website that's hosted and administered by a third-party supplier was temporarily taken offline while a security issue was addressed," a Cisco spokesperson told The Register

"Based on our investigation, the issue impacted only a limited number of site users, and those users have been notified," the spokesperson said. "No credentials were compromised."

In this particular case, the unknown attacker(s) reportedly exploited CVE-2024-34102, a critical, 9.8-rated vulnerability in Adobe Magento software, widely used by eCommerce websites and a favorite target for thieves looking to intercept and steal transaction data from unsuspecting consumers. These types of Magento-targeting exploits are collectively called Magecart attacks.

CVE-2024-34102, which puts unpatched systems at risk of XML external entity injection (XXE) and remote code execution (RCE), was spotted by researcher Sergey Temnikov, who claims he reported the issue to Adobe and received a $9,000 bug bounty for this find.

Adobe patched the flaw on June 11, but a week later, eCommerce monitoring firm Sansec reported that only 25 percent of stores had upgraded their software. Meanwhile, criminals automated the attack to scale to thousands of sites, and multiple proof-of-concept exploits popped up on GitHub and elsewhere.

It appears Cisco's merchandise store was one of these unpatched sites, and at the time of the attack was running Magento 2.4 (Enterprise).

According to c/side researchers who analyzed the malicious JS code, it was hosted on a domain with a Russia-based IP address. The domain, rextension[.]net/za/, was registered on August 30.

"The domain's recent registration raises red flags as it could indicate a fly-by-night operation designed for quick exploitation before being abandoned," c/side's Himanshu Anand noted

"Obfuscated scripts like these are difficult to detect without specialized monitoring, making them especially dangerous for both website owners and their customers," he added. ®

More about

TIP US OFF

Send us news


Other stories you might like