Intel Reports

Activity Summary - Week Ending on 22 June 2023:

• Red Sky Alliance identified 3,649 connections from new IP’s checking in with our Sinkholes
• SmartMediaNetwork in Ukraine attacked again and hit 488x (2^nd week)
• 2,321 ‘new’ Botnets hits
• New Magecart-Style Campaign
• Microsoft
• Australia PwC
• MOVEit
• Back to the Future in Germany
• Granules India – Rx Hit

Red Sky Alliance Compromised (C2) IP’s 

On 21 June 2023, Red Sky Alliance identified 3,649 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 21 June 2023, analysts identified 2,321 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

New Magecart-Style Campaign - A new Magecart-style skimmer has been making waves in recent weeks.  The key distinguishing characteristic of this latest campaign is its utilization of compromised legitimate websites to facilitate the concealment of attacks on other targeted websites behind their genuine domains.

The primary objective of a Magecart attack is to steal PII and credit card details from the checkout pages of digital commerce websites. Traditionally, this type of attack was primarily executed on the Magento digital commerce platform; however, in this campaign and others like it, Akamai researchers were able to identify exploitation of websites built with Magento, WooCommerce, WordPress, and Shopify, demonstrating the growing variety of vulnerabilities and abusable platforms that are available to attackers.   Generally, these attacks cannot be detected by popular methods of web security, such as web application firewalls (WAFs), and are executed on the client side.  This may result in Magecart attacks remaining unnoticed for long periods.[1]

Over the past few weeks, we have identified an active, ongoing campaign, leveraging sophisticated infrastructure and capabilities to deliver Magecart-style web skimming attacks, and Akamai has uncovered numerous digital commerce websites that are victims of this campaign.  It is reasonable to assume that there are additional legitimate websites that have been exploited as part of this extensive campaign.

A large-scale, long-term attack - Unsurprisingly, this campaign primarily targets commerce organizations.  The scale of the attack, however, is notable.  Some victim organizations see hundreds of thousands of visitors per month.  This may result in thousands, even tens of thousands, of victims of stolen credit card data and PII.  For many of the victims, the attack has been going unnoticed for close to a month, increasing the potential for damage.  Additionally, Akamai researchers are observing the campaign’s effects on organizations in the United States, the United Kingdom, Brazil, Spain, Australia, Estonia, and Peru.  

Web skimming attacks can be very harmful for digital commerce organizations.  The loss of PII and credit card data can be damaging to the organizations’ reputation among other repercussions.  Many of the most high-profile Magecart attacks were undetected for months, if not years.  Of the 9,290 digital commerce domains that underwent Magecart attacks in 2022, there were 2,468 that remained actively infected at the close of that year, making it a formidable threat for commerce organizations.

The hack before the hack — setting up the attack infrastructure.  One of the most notable parts of the campaign is the way the attackers set up their infrastructure to conduct the web skimming campaign.  Before the campaign can start in earnest, the attackers will seek vulnerable websites to act as “hosts” for the malicious code that is used later on to create the web skimming attack.  Rather than using the attackers’ own C2 server to host malicious code, which may be flagged as a malicious domain, attackers hack into (using vulnerabilities or any other means at their disposal) a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it. In this way, the attackers create a seemingly healthy host for their malicious code, and can deliver it to any victim they choose.  In essence, this campaign creates two sets of victims.

Host victims: These are legitimate websites that are hijacked for the purpose of hosting the malicious code used in the attack.  The attackers will then use these sites to deliver their code during an attack.  Since these sites normally operate as legitimate businesses, they are less likely to raise suspicion when connecting to a victim. These sites then act as part of the infrastructure for the attack, essentially behaving as an attacker-controlled server.  The intention is to conceal the malicious activity behind a domain with a good reputation.

Web skimming victims: These are vulnerable commerce websites that are targeted with a Magecart-style web skimming attack by the attackers.  Instead of directly injecting the attack code into the website's resources, the attackers employ small JavaScript code snippets as loaders to fetch the full attack code from the host victim website, allowing them to more effectively conceal most of the malicious code used in the attack.  Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites’ digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website. 

Akamai researchers observed a small number of websites serving as the host victims.  All of these websites appear to be commerce websites. In some cases, the exploited host websites appear to be abused twice.  First, they are used as hosts for malicious code, as previously mentioned.  Second, they themselves are subjected to a Magecart-style web skimming attack, enabling the theft of user information.  Not only were they compromised and subjected to data theft by the injected code, but they also unwittingly served as a vehicle for spreading the skimmer's malicious activities to other vulnerable websites. 

Taking advantage of established reputations and inherent trust - During the Akamai investigation, analysts also uncovered some sites that we believe might be fake, possibly created by the attacker.  These seem to operate as phishing websites, mimicking small retail stores, using domains that closely resemble those of the original legitimate sites.  The practice of using exploited domains from legitimate websites provides the attacker with several advantages when it comes to concealing their malicious activities.  By hiding behind domains that have established reputations and positive associations, the skimmer creates a smokescreen that makes it increasingly difficult to identify and respond to the attack.  One of the primary advantages of utilizing legitimate website domains is the inherent trust that these domains have built over time.  Security services and domain scoring systems typically assign higher trust levels to domains with a positive track record and a history of legitimate use.  As a result, malicious activities conducted under these domains have an increased chance of going undetected or being treated as benign by automated security systems.  Analysts were unable to disclose the domains of the legitimate websites that were exploited and used to host attacks on other targeted websites since disclosure requires the organizations’ confirmation and cooperation.

Hiding in plain sight — loading the malicious code onto victim websites.  Once the infrastructure is set, attackers will look for targets with vulnerable digital commerce platforms or vulnerable third-party services in order to inject the web skimmer code.  The attacker employs a clever technique by injecting an inline (meaning that script that is embedded inside HTML, not loaded from an external file) JavaScript code snippet into the pages of exploited websites.  This snippet serves as a loader, fetching the complete malicious code from the host websites that were set in the earlier stage.  Notably, the structure of the injected snippet is intentionally designed to resemble popular third-party services such as Google Tag Manager or Facebook Pixel.  This approach has gained popularity among web skimming campaigns in recent years, as it helps the malicious code blend in seamlessly, disguising its true intentions.  Furthermore, to obfuscate the URL of the exploited websites hosting the full attack code, the skimmer utilizes Base64 encoding (Figure 1).  This technique has become widely favored among skimmers as it effectively masks the origins and purpose of the code.

Fig. 1: Malicious JavaScript code snippet that impersonates a Google Analytics snippet and is used as a loader of the attack

• In doing this, the attacker employs three methods of avoiding detection. 
• Obfuscate the domain used in the attack 
• Cleverly mask the loader as a legitimate third-party script or vendor
• Reduce the amount of malicious code that needs to be injected into the page by pulling the majority of the code from other sources, which greatly reduces the chance that the code will be discovered
• Once the loader is injected, any user who attempts to check out from the web skimming victim website will have their personal details and credit card information stolen and sent out to the attackers’ C2 server. 

Analyzing the code — obfuscated Magecart attack.  During our examination, we identified two distinct variations of the skimmer code.  The initial variation exhibited a high level of obfuscation, resulting in increased complexity when we attempted to decipher its flow and logical structure.  The attacker employs obfuscation as a tactic to interfere with debugging and research, deliberately making it challenging to comprehend the precise sequence of the attack.  Obfuscating malicious code is a widely adopted practice among diverse web skimming attacks, and it has gained increased popularity across numerous campaigns in recent years (Figure 2).

Fig. 2: Malicious code — variation 1

After decoding the Base64 strings embedded within the obfuscated code, we discovered a list of Cascading Style Sheets (CSS) selectors.  These selector names explicitly indicated that the skimmer targeted input fields responsible for capturing PII and credit card details.  The presence of these CSS selectors within the decoded code provides absolute evidence of the skimmer's malicious intent.  

By specifically targeting input fields used for gathering sensitive user data, the skimmer's objectives become clear: to intercept and exfiltrate PII and credit card details for illegal purposes.  It also hints at a level of intelligence gathering; for these input fields to match, the attacker needs to “tailor” the code to each victim (Figure 3).

Fig. 3: Decoded sensitive field names targeted by the skimmer

The second variation of the malicious code discovered in this campaign exhibited less obfuscation, rendering it more comprehensible and easier to analyze.  Like the first variation, the strings that could potentially expose the code's intentions were Base64 encoded, allowing us to readily decipher their meaning (Figure 4). 

What makes the second variation interesting is the presence of certain indicators within the code; these indicators served as valuable clues, aiding us in the identification of additional victim websites and instances associated with this campaign. 

Fig. 4: Malicious code — variation 2

Exfiltrating the stolen data - The process of exfiltrating the stolen data is executed through a straightforward HTTP request, which is initiated by creating an IMG tag within the skimmer code.  The stolen data is then appended to the request as query parameters, encoded as a Base64 string (Figure 5).  To obfuscate the transmitted data, the skimmer encodes it as a Base64 string.  This encoding technique provides a layer of disguise, making it more challenging for security systems and network monitoring tools to identify that sensitive information is being exfiltrated.  Once the Base64-encoded data reaches the attacker's server, it can be easily decoded to its original format, exposing the stolen PII and credit card details.  Exfiltration will only happen once for each user going through checkout.  Once a user’s information is stolen, the script will flag the browser to ensure it doesn’t steal the information twice (to reduce suspicious network traffic).  This further increases the evasiveness of this Magecart-style attack.

Fig. 5: Data exfiltration using IMG tag, which initiates an HTTP request to the skimmer’s C2 with Base64 encoded query parameters

Security recommendations and mitigations - To plant a web skimmer, attackers will need to get initial access to the server either by exploiting a vulnerability or by abusing one of the existing third-party scripts.  To prevent this initial access to the server, security practitioners are advised to keep up with the most recent patches and complement them by implementing a WAF.  However, the complexity, deployment, agility, and distribution of current web application environments and the various methods attackers can use to install web skimmers require more dedicated security solutions, which can provide visibility into the behavior of scripts running within the browser and offer defense against client-side attacks.  An appropriate solution must move closer to where the actual attack on the clients occurs. It should be able to successfully identify the attempted reads from sensitive input fields and the exfiltration of data (in our testing we employed Akamai Page Integrity Manager). Analysts recommend that these events are properly collected in order to facilitate fast and effective mitigation.

Conclusion - This campaign serves as a reminder that web skimming remains a critical security threat, with malicious actors constantly evolving their tactics to conceal their activities and make detection more challenging.  The new script security requirements outlined in PCI DSS v4.0 also echo this statement, now requiring any organization that processes payment cards online to have mechanisms in place to detect and respond to these types of attacks.  The primary solution for effectively combating web skimming lies in the utilization of tools and technologies that provide behavioral and anomaly detection.  Traditional static analysis tools prove inadequate in countering web skimmers, as they continually modify their methods and employ increasingly sophisticated techniques that can evade static analysis.

Akamai expects to encounter similar campaigns intermittently, as this cat-and-mouse game is likely to persist.  As the battle between defenders and attackers in the realm of web skimming continues, it is crucial to stay proactive and invest in innovative security measures.  By adopting advanced detection technologies that adapt to changing attack vectors, organizations can better safeguard their online platforms, protect user data, and maintain the trust of their customers.  Continued research, collaboration, and vigilance are essential in the ongoing fight against web skimming threats.

IOCs / Exfiltration domains:

• byvlsa[.]com
• chatwareopenalgroup[.]net

GLOBAL TRENDS:

US - The disruptions to Microsoft’s services earlier this month were indeed the result of hacks, the software giant has admitted.  In a blogpost on 16 June, the Redmond, Washington-based tech behemoth attributed the “surges in traffic against some services that temporarily impacted availability” to the “ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.”  Messaging platform Telegram, code management site GitHub, and network provide Dyn have all faced similar attacks in the last decade.  In Microsoft’s case, attackers focused on “disruption and publicity” used rented cloud infrastructure and virtual private networks to flood Microsoft servers from so-called botnets of zombie computers around the globe.  The company said it has “seen no evidence that customer data has been accessed or compromised.”[2]

A brief timeline of Microsoft getting hacked:  5 June: Thousands of users complain of Microsoft Outlook being down.  The Microsoft 365 acknowledges the outage and says it is investigating the matter on Twitter.  The company says Microsoft Teams, SharePoint Online and OneDrive for business have also been impacted.  Hours later, everything is restored.  But attacks will continue through the week.  June 6: Anonymous Sudan claims to have compromised Microsoft’s systems and stolen tens of millions of customers’ data.  June 8: Computer security news site BleepingComputer.com reports that cloud-based OneDrive file-hosting was down globally for a time.  June 9: Microsoft confirms that its Azure cloud computing platform has been affected.

Anonymous Sudan’s attack on Microsoft, by the digits 18,000: People affected simultaneously at the peak of the 5 June attack.  30 million: How many customers’ data Anonymous Sudan claims to have stolen during the attack on Microsoft’s suite of services.  Microsoft has not disclosed a number on its end.  $1 million: The ransom Anonymous Sudan apparently demanded off Microsoft.  It is a third of what it asked off Scandinavian Airlines earlier in the month.

A brief explanation of why Anonymous Sudan is targeting American companies:  The attack came after Anonymous Sudan misinterpreted a statement by US Secretary of State Antony J. Blinken, who was visiting Saudi Arabia on 1 June and discussed the ongoing conflict in the east African country.  Blinken talked about “looking at steps that we can take to make clear our views on any leaders who are moving Sudan in the wrong direction, including by perpetuating the violence and by violating ceasefires that they’ve actually committed to.” The hackers mistook this as a sign that the US would potentially invade Sudan, threatening to “target critical infrastructure” of American countries in retaliation.  On 1 June, the US announced visa restrictions for high-profile individuals and economic sanctions for various entities in Sudan, including the Sudanese Armed Forces (SAF) and Rapid Support Forces (RSF), in response to recent “looting, occupation of and attacks on civilian residences and infrastructure, use of aerial bombardment and artillery, attacks and prohibited movements, and obstruction of humanitarian assistance and essential services restoration.”

Australia – Australia accounting firm PwC has been under siege the past few weeks over a tax scandal and it’s just been dealt another blow as Russian hackers have obtained sensitive data.  Late on 19 June, the Australian Financial Review reported that PwC had been caught up in a cyber security breach.  A notorious cyber crime syndicate called CI0P, which has made headlines in the past for its ransom demands, targeted the big four accounting firm.  The group reportedly obtained client data after hacking a third party software called MOVEit, that PwC used to transfer confidential information.  It is not just PwC; a number of companies have been impacted due to the weakness the hackers discovered inside MOVEit.[3]

Medibank and rival accounting firm EY have also been hacked, as they are also clients of MOVEit.  Last week, US authorities confirmed several American businesses had also been similarly breached.  Several US government agencies, as well as British Airways and the BBC, are among those who have been held to ransom by the cyber syndicate.  The worst case appears to be the US state of Louisiana, where every single current driver’s license holder, identification car of car registration has had their information stolen.  The widespread hack reportedly occurred two weeks ago, and last week CI0P warned victims they had seven days to adhere to their ransom demands, or they would expose which companies had been hit and leak the stolen data on the dark web.

PwC said the hack had impacted a small number of clients and that they have since stopped using MOVEit to disseminate information.  “We are aware that MOVEit, a third-party transfer platform, has experienced a cybersecurity incident which has impacted hundreds of organizations including PwC,” a PwC Australia spokesperson said.  “PwC uses the software with a limited number of client engagements.  “As soon as we learned of this incident we stopped using the platform and started our own investigation.”  They also added they had reached out to affected clients to notify them of the breach.

Health insurer Medibank and rival accounting firm EY also used the MOVEit software for sensitive client data.  As yet, EY is unsure if data has been breached.  An EY spokesperson told Sky News the business learned that MOVEit had a “a critical vulnerability” at the end of May.  “We immediately launched an investigation into our use of the tool and took urgent steps to safeguard any data,” an EY representative said.  “We have verified that the vast majority of systems which use this transfer service across our global organization are secure and were not compromised. We are manually and thoroughly investigating systems where data may have been accessed.  Our priority is to first communicate to those impacted, as well as the relevant authorities. Our investigation is ongoing.”

Medibank believes it has avoided a crisis.  “We continue to investigate and work closely with the vendor, and at this stage we are not aware of any of our customers’ data being compromised," a spokesperson said.  PwC is just the latest Australian firm to have fallen victim to a sophisticated cyber-attack.  Earlier this month, Australian law firm HWL Ebsworth had stolen data related to hundreds of clients and spanned at least five years. The firm said in a court hearing it had spent more than 5000 hours battling the hack.  There was also the hack of financial firm Latitude, which saw the passport numbers, driver’s licenses and/or Medicare numbers stolen from 333,000 customers.  Last year, Medibank and telco company Optus also lost millions of customer data to two separate hacks.

PwC has been on the rocks in recent weeks amid a controversial tax scheme.  In May, the financial services firm’s former head of international tax, Peter Collins was found to have leaked a confidential government briefing about combating tax avoidance with clients and partners.  Mr. Collins has since been banned from acting as a tax practitioner, and federal Treasury has referred the scandal to the Australian Federal Police for a criminal investigation.  PwC Australia chief executive Tom Seymour also resigned after he was revealed to have received emails with confidential Treasury information from Mr. Collins.  Last week, the NSW government revealed it would suspend engaging PwC on any new tax work due to the saga.

Germany - The German regional media group Rheinische Post produced emergency editions of its papers on 19 June after a cyber-attack at the in-house IT service provider.  The printed and digital editions of the regional newspapers in western Germany could not be offered in the usual form, the Rheinische Post said.  Apparently, no data had been stolen, it said, including data from customers. Individual technical systems had to be switched off because of the attack and the connection to the internet had to be cut, the group said.  The Gutenberg Press was not used (jk).

The Aachener Zeitung, which belongs to the same media group, addressed its readers on the first page saying that they were publishing an emergency edition, "which does not fully correspond to what you are used to from us." The Bonn-based General-Anzeiger produced an edition that was "not published to the usual extent and with the usual topicality."  The news portals of the affected newspapers were only accessible to a limited extent on Monday. The disruption has been ongoing since Friday evening, according to the publisher.  "We reacted in time. We are working around the clock to solve the problems and we are making progress," the Rheinische Post said earlier this week.[4] 

India - Lockbit, a Russian-linked ransomware group has recently claimed a cyber-attack on Indian pharmaceutical giant Granules India, and published portions of the data it allegedly stole.  Granules India was one of the most recent victims listed on Lock Bits’ dark web Leak site on 21 June.  Though, granules the ransom attack has not yet been confirmed in India.  The business reported last month a cybersecurity incident to Indian stock exchanges occurred.  Granules said the affected IT assets were isolated at the time.  “The company is investigating the matter with utmost priority.”  The appropriate containment and remediation actions are being taken in a controlled manner to address the incident, the company said on 25 May.  According to a recently published joint advisory by the US federal agency Cybersecurity CISA and its international counterparts in Australia, Canada, France, Germany, New Zealand, and the United Kingdom

Granules - Lockbit has become the most famous used ransomware variant globally in 2022 and 2023. Last month, Granules India allegedly reported a 7.8% rise in quarterly profit to $14.6 million for the quarter that ended on 31 March.  In the last few months, the ransomware gang claimed attacks on various prominent tech companies including IT services company Accenture, tech manufacturer Foxconn, UK health service vendor Advanced, and British postal service Royal Mail.  Lock bit threat actors have extorted nearly $91 million in ransoms through about 1,700 attacks and targeting US companies since 2020.[5]

The Lockbit ransomware group is a ransomware group that was first spotted on the Russian Language based cybercrime forums in Jan 2020. The group steals sensitive data from the network before encrypting it and threatens to release data to the public if the desired ransom is not paid.  The LockBit’s cyber-attack on Granules India brings to light the expanding danger that ransomware attacks pose to businesses around the world.  The incident highlights the necessity for businesses to take preventative steps to safeguard their networks and data from online threats.  To stop ransomware attacks, businesses should put strong cybersecurity measures in place, such as firewalls, antivirus software, and intrusion detection systems.  To increase awareness of the dangers of cyber threats, they should also conduct routine security audits and employee training.  Businesses can lessen their exposure to cyber risks and safeguard their operations from the devastating effects of ransomware attacks by taking proactive measures.

[1] https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains

[2] https://www.msn.com/en-us/money/other/microsoft-admitted-it-was-targeted-in-a-cyber-attack-claimed-by-a-russian-linked-group-called-anonymous-sudan/ar-AA1cJE81

[3] https://www.news.com.au/finance/business/other-industries/notorious-russian-cyber-criminals-hack-australian-accounting-firm-pwc/news-story/af36a8b93f0bf466c2beed9f116a556d

[4] https://www.msn.com/en-xl/news/other/german-newspapers-print-emergency-editions-after-cyber-attack/ar-AA1cJQVt

[5] https://www.techjuice.pk/lockbit-claims-ransomware-attack-on-pharma-giant-granules-india/