News September 09, 2024
Cisco Online Merch Store Temporarily Shuttered Amid Cyberattack
The site was back up and running following the hacking by digital criminals allegedly based in Russia.
A web store selling branded merchandise for technology giant Cisco was temporarily taken offline after hackers reportedly based in Russia infiltrated the site with JavaScript that aims to steal customers’ sensitive information, including credit card details, at checkout.
The digital criminals were able to exploit a flaw in Adobe’s Magento platform to place the information-filching script onto the site. The web store was temporarily down, but was back online again as of at least Monday, Sept. 9.
In a statement to The Register, Cisco said no credentials were compromised during the cyberattack. However, what the multinational digital communications technology conglomerate described as a “limited number of site users” were impacted. “Those users have been notified,” a spokesperson told The Register.
Cisco also confirmed the site was down for a spell, saying the vulnerability was quickly addressed after being discovered and the site bulwarked against the invasive JavaScript.
“A Cisco-branded merchandise website that’s hosted and administered by a third-party supplier was temporarily taken offline while a security issue was addressed,” the Cisco spokesperson said.
ASI Media has contacted a global branding and logistics company that’s believed to be administering the site for comment.
“Unfortunately, this type of attack against e-commerce sites is common,” said Seth Kusiak, chief information security officer at ASI.
Another ‘Magecart’ Attack
According to various reports, the sophisticated hackers found a way into the Cisco site through a vulnerability known as CVE-2024-34102, which impacts Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier.
In laymen’s terms, it’s possible to inject code that steals customer data through the weak point – considered so significant a vulnerability that it’s been given a 9.8 severity score on the Common Vulnerability Scoring System from the National Institute of Standards and Technology.
“Unfortunately, this type of attack against e-commerce sites is common.” Seth Kusiak, ASI
Adobe issued a security patch in June, but many sites reportedly were not updated. E-commerce monitoring firm Sansec reported that as many as 75% of vulnerable stores had not implemented the patch within a week of its issuing. Certainly some went on even longer without the upgrade.
Kusiak shared that the type of attack that happened to Cisco has become so common that the Payment Card Industry (PCI) Security Standards Council made new best practices to address them. The Register reported that the “Magento-targeting exploits” are typically called Magecart attacks.
“The 6.4.3 requirement [see pg. 43] is considered best practice until March 31, 2025,” Kusiak explained. “After that date, it becomes a PCI requirement that all merchants are to comply with.”
The 6.4.3 standard indicates that site administrators must implement a method to confirm that each script is authorized, have a method to assure the integrity of each script and maintain an inventory of all scripts with written justification as to why each is necessary.
Counselor Top 40 distributor BAMKO (asi/131431) wasn’t involved in the Cisco site or its hacking. Still, company President Jake Himelstein said the attack is a sobering reminder that promo companies must take all possible precautions on cybersecurity to prevent customers from being exploited.
“The Cisco incident underscores the ever-present threat of cyberattacks, even for industry giants,” Himelstein, a member of Counselor’s Power 50 list of promo’s most influential people, told ASI Media. “Hackers are getting more sophisticated every day. We have to be a step ahead.”
Mike Wolfe, CEO of Counselor Top 40 distributor Zorch (asi/366078), expressed similar sentiments, saying industry companies must keep current with recommended updates/modifications to improve security.
“If you want to service large corporate programs, IT security is another example of where distributors need to make additional investments,” Wolfe, whose firm also was not involved with the Cisco situation, told ASI Media. “As our service offerings get more complex -- in many cases, our systems interface directly with clients’ systems -- these types of security alerts must be taken seriously. Long gone are the days that you can purchase/implement a system and just use it for an extended period of time. The issue at Cisco is another clear example of why continuous investment needs to be made.”