Cisco merch shoppers stung in Magecart attack

#### [Security](/security/)**3** Cisco merch shoppers stung in Magecart attack=============================================**3** The ‘security issue’ was caused by a 9.8-rated Magento flaw Adobe patched back in June————————————————————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 6 Sep 2024 // 20:00 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack) [](https://twitter.com/intent/tweet?text=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack&url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack&summary=The%20%27security%20issue%27%20was%20caused%20by%20a%209.8-rated%20Magento%20flaw%20Adobe%20patched%20back%20in%20June) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Bad news for anyone who purchased a Cisco hoodie earlier this month: Suspected Russia-based attackers injected data-stealing JavaScript into the networking giant’s online store selling Cisco-branded merch.Cisco has since fixed the issue caused by a flaw in Adobe’s Magento platform, which could have allowed crooks to steal shoppers’ credit card details and other sensitive information at checkout.’A Cisco-branded merchandise website that’s hosted and administered by a third-party supplier was temporarily taken offline while a security issue was addressed,’ a Cisco spokesperson told *The Register*. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Ztwkj7hl_xSVhxNtI12IUgAAAtA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)’Based on our investigation, the issue impacted only a limited number of site users, and those users have been notified,’ the spokesperson said. ‘No credentials were compromised.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Ztwkj7hl_xSVhxNtI12IUgAAAtA&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Ztwkj7hl_xSVhxNtI12IUgAAAtA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)In this particular case, the unknown attacker(s) reportedly exploited [CVE-2024-34102](https://nvd.nist.gov/vuln/detail/CVE-2024-34102), a critical, 9.8-rated vulnerability in Adobe Magento software, widely used by eCommerce websites and a favorite target for thieves looking to intercept and steal transaction data from unsuspecting consumers. These types of [Magento-targeting exploits](https://www.theregister.com/2023/08/11/magento_shopping_cart_attack_targets/) are collectively called Magecart attacks.CVE-2024-34102, which puts unpatched systems at risk of XML external entity injection (XXE) and remote code execution (RCE), was [spotted](https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md) by researcher Sergey Temnikov, who claims he reported the issue to Adobe and received a $9,000 bug bounty for this find. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Ztwkj7hl_xSVhxNtI12IUgAAAtA&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)Adobe [patched](https://helpx.adobe.com/security/products/magento/apsb24-40.html) the flaw on June 11, but a week later, eCommerce monitoring firm Sansec [reported](https://sansec.io/research/cosmicsting) that only 25 percent of stores had upgraded their software. Meanwhile, criminals automated the attack to scale to thousands of sites, and multiple [proof-of-concept exploits](https://x.com/coffinxp7/status/1807385510169743782) popped up on GitHub and elsewhere.* [Magento shopping cart attack targets critical vulnerability revealed in early 2022](https://www.theregister.com/2023/08/11/magento_shopping_cart_attack_targets/)* [Cisco’s Smart Licensing Utility flaws suggest it’s pretty dumb on security](https://www.theregister.com/2024/09/05/cisco_smart_licensing_utility_flaws/)* [Let’s kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows](https://www.theregister.com/2024/06/12/june_patch_tuesday/)* [To patch this server, we need to get someone drunk](https://www.theregister.com/2024/09/06/on_call/)It appears Cisco’s merchandise store was one of these unpatched sites, and at the time of the attack was running Magento 2.4 (Enterprise).According to c/side researchers who analyzed the malicious JS code, it was hosted on a domain with a Russia-based IP address. The domain, rextension-[.-]net/za/, was registered on August 30.’The domain’s recent registration raises red flags as it could indicate a fly-by-night operation designed for quick exploitation before being abandoned,’ c/side’s Himanshu Anand [noted](https://cside.dev/blog/cisco-client-side-magecart-javascript-attack).’Obfuscated scripts like these are difficult to detect without specialized monitoring, making them especially dangerous for both website owners and their customers,’ he added. ® [Sponsored: Cloud spend – take back control](https://go.theregister.com/tl/3074/shttps://www.theregister.com/2024/09/04/cloud_spend_take_back_control/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack) [](https://twitter.com/intent/tweet?text=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack&url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack&summary=The%20%27security%20issue%27%20was%20caused%20by%20a%209.8-rated%20Magento%20flaw%20Adobe%20patched%20back%20in%20June) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Adobe](/Tag/Adobe/)* [Cisco](/Tag/Cisco/)* [Cybercrime](/Tag/Cybercrime/) More like these × ### More about* [Adobe](/Tag/Adobe/)* [Cisco](/Tag/Cisco/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Creative Cloud](/Tag/Creative%20Cloud/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [PDF](/Tag/PDF/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Webex](/Tag/Webex/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack) [](https://twitter.com/intent/tweet?text=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack&url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Cisco%20merch%20shoppers%20stung%20in%20Magecart%20attack&summary=The%20%27security%20issue%27%20was%20caused%20by%20a%209.8-rated%20Magento%20flaw%20Adobe%20patched%20back%20in%20June) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/09/06/cisco_merch_adobe_magento_attack/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **3** COMMENTS #### More about* [Adobe](/Tag/Adobe/)* [Cisco](/Tag/Cisco/)* [Cybercrime](/Tag/Cybercrime/) More like these × ### More about* [Adobe](/Tag/Adobe/)* [Cisco](/Tag/Cisco/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Creative Cloud](/Tag/Creative%20Cloud/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [PDF](/Tag/PDF/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Webex](/Tag/Webex/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Cisco’s Smart Licensing Utility flaws suggest it’s pretty dumb on securityTwo critical holes including hardcoded admin credentialSecurity2 days -| 8](/2024/09/05/cisco_smart_licensing_utility_flaws/?td=keepreading) [#### Alleged Karakut ransomware scumbag charged in USInfosec in brief Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and moreSecurity12 days -| 2](/2024/08/26/karakut_ransomware_scum_charged/?td=keepreading) [#### Volt Typhoon suspected of exploiting Versa SD-WAN bug since Juneupdate The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructureCyber-crime11 days -| 3](/2024/08/27/chinas_volt_typhoon_versa/?td=keepreading) [#### The start of the great virtualization migration?How consolidating disparate cloud components with Nutanix can bring multiple benefitsSponsored Feature](/2024/08/26/the_start_of_the_great/?td=keepreading) [#### Uncle Sam charges Russian GRU cyber-spies behind ‘WhisperGate intrusions’Feds post $10M bounty for each of the six’s whereaboutsCyber-crime2 days -| 4](/2024/09/05/uncle_sam_charges_russian_gru/?td=keepreading) [#### Transport for London confirms cyberattack, assures us all is wellGovernment body claims there is no evidence of customer data being compromisedCyber-crime4 days -| 30](/2024/09/03/tfl_cyberattack/?td=keepreading) [#### Iran’s Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gearThe government-backed crew also enjoys ransomware as a side hustleCyber-crime10 days -| 5](/2024/08/28/iran_pioneer_kitten/?td=keepreading) [#### Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data93GB of info feared pilfered in Montana by heartless crooksCyber-crime3 days -| 18](/2024/09/04/planned_parenthood_cybersecurity_incident/?td=keepreading) [#### Cicada ransomware may be a BlackCat/ALPHV rebrand and upgradeResearchers find many similarities, and nasty new customizations such as embedded compromised user credentialsResearch3 days -|](/2024/09/04/cicada_ransomware_blackcat_links/?td=keepreading) [#### White House seizes 32 domains, issues criminal charges in massive election-meddling crackdownRussia has seemingly decided who it wants Putin the Oval OfficeSecurity2 days -| 78](/2024/09/05/biden_cracks_down_on_putins/?td=keepreading) [#### North Korean scammers plan wave of stealth attacks on crypto companies, FBI warnsFeds warn of ‘highly tailored, difficult-to-detect social engineering campaigns’Cyber-crime2 days -| 7](/2024/09/05/fbi_north_korean_scammers_prepping/?td=keepreading) [#### Novel attack on Windows spotted in phishing campaign run from and targeting ChinaResources hosted at Tencent Cloud involved in Cobalt Strike campaignResearch5 days -| 3](/2024/09/02/securonix_china_slowtempest_campaign/?td=keepreading)

Related Tags:
Lemon Sandstorm

BRONZE RIVERSIDE

CVE-2024-34102

NAICS: 32 – Manufacturing – Wood And Plastics

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 519 – Web Search Portals

Libraries

Threat Intel Solutions

Cisco merch shoppers stung in Magecart attack

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us