Rewterz Threat Advisory – CVE-2023-5009 – GitLab EE Vulnerability
September 20, 2023Rewterz Threat Update – Microsoft Accidentally Leaks 38TB of Private Data Through Unsecured Azure Storage
September 20, 2023Rewterz Threat Advisory – CVE-2023-5009 – GitLab EE Vulnerability
September 20, 2023Rewterz Threat Update – Microsoft Accidentally Leaks 38TB of Private Data Through Unsecured Azure Storage
September 20, 2023Severity
High
Analysis Summary
A new payment card skimming campaign called “Silent Skimmer” has been identified by researchers, and it is targeting online payment businesses in the Asia-Pacific (APAC) and North America and Latin America (NALA) regions. This campaign has been active for a year and is ongoing. Evidence suggests that Chinese actors are behind it, as the attacker is believed to be from the APAC region and proficient in the Chinese language.
Silent Skimmer appears to be financially motivated. The attacker gains initial access by exploiting known vulnerabilities and compromised web servers. Ultimately, they deploy payment scraping tools on infected sites to steal sensitive financial data.
Initially, the campaign primarily targeted companies in the APAC region. However, starting from October 2022, the attacker expanded their focus to include Canada and North America. Researchers noted a significant increase in attacks since May 2023. The threat actor exploited a critical vulnerability which allows remote code execution. This same bug was previously used by China-backed Hafnium group and Vietnam’s XE group.
The victims of Silent Skimmer come from diverse industries and sectors. The attacker accesses the payment pages of web applications and sites to deploy malware. This malware is used to steal credit card numbers and billing information from online buyers. The stolen data is then exfiltrated through Cloudflare.
In terms of tactics, techniques, and procedures (TTPs), the attacker hosts all their tools and payloads on an HTTP File Server that they control. This server is deployed on a temporary virtual private server (VPS) whose location aligns with the attacker’s suspected location. Additionally, the attacker exploits a .NET deserialization flaw known as CVE-2019-18935 to execute code remotely on their targeted servers.
The researchers noted that the hackers used various tools to achieve privilege escalation. They also used many legitimate open-source tools and scripts in many of their attacks.
The payload executed through this vulnerability deploys a PowerShell script, which acts as a remote access tool (RAT). This RAT has various functions, including collecting system information, searching for, downloading, and uploading files, and connecting to a database. The RAT connects to a server that offers a range of tools, including remote access scripts, downloader scripts, webshells, Cobalt Strike beacons, and exploits. There’s also a Fast Reverse Proxy tool that allows attackers to expose local servers from behind a NAT
The actor behind Silent Skimmer primarily targets individual websites and prefers using tools developed by a GitHub user named ihoney.
To evade detection, the actor continually readjusts its command and control (C2) infrastructure based on the geolocation of the victims. They use VPS servers as C2 servers for new targets, with each C2 server remaining online for less than a week. These servers are located in the victim’s country or region, making it difficult to distinguish traffic from compromised servers from normal traffic.
Impact
- Gain Access
- Unauthorized Access
- Privilege Escalation
- Financial Loss
- Sensitive Information Theft
Indicators of Compromise
URL
- https://cdn.nigntboxcdn.com/Nigntboxcdngetdata.php
MD5
- 8296fbec36223ad4d5dbe47e68ff9469
SHA-256
- ae89f5aa5c2dc71f4d86d9018000e92940558f3e5fe18542f48dea3b607c7d3b
SHA-1
- 249d60dcc9659bc1f9b715f5c52e057e1bdff4e4
Remediation
- Implement multi-factor authentication (MFA) and strong password policies to enhance access control.
- Ensure that all software, including web servers, applications, and content management systems, is regularly patched and updated to address known vulnerabilities.
- Deploy WAFs to monitor and filter incoming web traffic for suspicious activities. WAFs can detect and block web skimming attempts and other malicious traffic.
- Isolate payment processing systems from less critical systems to limit the attacker’s lateral movement within your network. Network segmentation can help contain the impact of a breach.
- Implement continuous monitoring solutions to detect unusual or unauthorized activities on your web servers and payment processing systems. Look for signs of unauthorized access, data exfiltration, or unusual patterns of traffic.
- Conduct regular security audits and penetration testing to identify and address weaknesses.
- Encrypt sensitive customer and investor data both in transit and at rest to prevent unauthorized access in case of a breach.
- Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.