Rewterz Threat Alert – Discovery of Malware Sample in E-commerce Blog Site Compromise – Active IOCs

Severity

High

Analysis Summary

In a recent incident, Visa PFD experts acquired a malware sample from an attack initially reported against a North American eCommerce retailer. In this attack, threat actors targeted the victim’s non-payment website infrastructure, including content management systems (CMS) and blogs hosted on third-party platforms, aiming to gain access to the eCommerce server. Exploiting the absence of segmentation between payment and non-payment web infrastructure, the threat actors moved laterally from the compromised non-payment infrastructure into the eCommerce payment environment. Within the payment environment, the attackers inserted digital skimming code into legitimate files, allowing them to harvest payment account details, particularly primary account numbers (PAN), from customers who made orders on the victim’s checkout webpage.

In early 2023, a digital skimming attack was identified. In this case, the threat actors initially compromised the victim’s non-payment infrastructure through undisclosed methods. They then deployed a PHP backdoor, recognized as a variant of the commonly available PAS Web Shell, into the victim’s content management system (CMS) environment, providing them with persistent access. The threat actors further exploited a vulnerability related to legacy SSH keys to establish a connection between the CMS servers and the eCommerce payment infrastructure. Leveraging this connection, the attackers infiltrated the payment infrastructure and appended malicious digital skimming code to authentic PHP files within that environment. This malicious code utilized regular expressions to identify payment account data, which was subsequently exfiltrated to a domain controlled by the threat actors, namely ‘transff.ignorelist.com/b6b7[.]php.’

This attack underscores the importance of implementing robust security controls on non-payment-related eCommerce infrastructure. Strengthening security measures on non-payment infrastructure can mitigate the impact of such an attack or potentially prevent it altogether.

Note: The report’s indicators of compromise are sourced from a regulatory body.

Impact

• Unauthorized Access
• Sensitive Informative Theft

Indicators of Compromise

Domain Name

• transff.ignorelist.com

MD5

• 336cfed2ce373d987848e8fc9c822140

SHA-256

• 10b488402bead17bf5aa2380837569979902bb0ec4d8e048545c9374a3ebe63f

SHA-1

• ea9b5c02756f8ef2c8ec2520e89342996045d224

URL

https://transff.ignorelist.com/b6b7.php

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Regularly test and apply security patches and software updates.
• Implement a monitoring process for client-side shopping cart resources to detect and validate changes in payment fields and scripts during the checkout process.
• Minimize third-party scripts and resources on the checkout page to essential ones for business operations.
• Establish network segmentation to prevent lateral movement by threat actors and safeguard cardholder data.
• Review and confirm the proper implementation of authentication processes and technologies.
• Thoroughly assess code integrated into website environments via service providers and validate updates, while closely examining Content Delivery Networks (CDNs) and other third-party resources.
• Secure administrative panels and privileged accesses, ensuring they are not publicly accessible.
• Enforce strong administrative passwords and enable two-factor authentication for added security.
• Log network and web server activity and conduct regular reviews and audits of these logs to detect unusual and suspicious activities.