Rewterz Threat Alert – Payment Card-Skimming Campaign Expands Focus to North American Websites

Severity

High

Analysis Summary

A new payment card skimming campaign called “Silent Skimmer” has been identified by researchers, and it is targeting online payment businesses in the Asia-Pacific (APAC) and North America and Latin America (NALA) regions. This campaign has been active for a year and is ongoing. Evidence suggests that Chinese actors are behind it, as the attacker is believed to be from the APAC region and proficient in the Chinese language.

Silent Skimmer appears to be financially motivated. The attacker gains initial access by exploiting known vulnerabilities and compromised web servers. Ultimately, they deploy payment scraping tools on infected sites to steal sensitive financial data.

Initially, the campaign primarily targeted companies in the APAC region. However, starting from October 2022, the attacker expanded their focus to include Canada and North America. Researchers noted a significant increase in attacks since May 2023. The threat actor exploited a critical vulnerability which allows remote code execution. This same bug was previously used by China-backed Hafnium group and Vietnam’s XE group. 

The victims of Silent Skimmer come from diverse industries and sectors. The attacker accesses the payment pages of web applications and sites to deploy malware. This malware is used to steal credit card numbers and billing information from online buyers. The stolen data is then exfiltrated through Cloudflare.

In terms of tactics, techniques, and procedures (TTPs), the attacker hosts all their tools and payloads on an HTTP File Server that they control. This server is deployed on a temporary virtual private server (VPS) whose location aligns with the attacker’s suspected location. Additionally, the attacker exploits a .NET deserialization flaw known as CVE-2019-18935 to execute code remotely on their targeted servers. 

The researchers noted that the hackers used various tools to achieve privilege escalation. They also used many legitimate open-source tools and scripts in many of their attacks.

The payload executed through this vulnerability deploys a PowerShell script, which acts as a remote access tool (RAT). This RAT has various functions, including collecting system information, searching for, downloading, and uploading files, and connecting to a database. The RAT connects to a server that offers a range of tools, including remote access scripts, downloader scripts, webshells, Cobalt Strike beacons, and exploits. There’s also a Fast Reverse Proxy tool that allows attackers to expose local servers from behind a NAT

The actor behind Silent Skimmer primarily targets individual websites and prefers using tools developed by a GitHub user named ihoney.

To evade detection, the actor continually readjusts its command and control (C2) infrastructure based on the geolocation of the victims. They use VPS servers as C2 servers for new targets, with each C2 server remaining online for less than a week. These servers are located in the victim’s country or region, making it difficult to distinguish traffic from compromised servers from normal traffic.

Impact

• Gain Access
• Unauthorized Access
• Privilege Escalation
• Financial Loss
• Sensitive Information Theft

Indicators of Compromise

URL

• https://cdn.nigntboxcdn.com/Nigntboxcdngetdata.php

MD5

• 8296fbec36223ad4d5dbe47e68ff9469

SHA-256

• ae89f5aa5c2dc71f4d86d9018000e92940558f3e5fe18542f48dea3b607c7d3b

SHA-1

• 249d60dcc9659bc1f9b715f5c52e057e1bdff4e4

Remediation

• Implement multi-factor authentication (MFA) and strong password policies to enhance access control.
• Ensure that all software, including web servers, applications, and content management systems, is regularly patched and updated to address known vulnerabilities. 
• Deploy WAFs to monitor and filter incoming web traffic for suspicious activities. WAFs can detect and block web skimming attempts and other malicious traffic.
• Isolate payment processing systems from less critical systems to limit the attacker’s lateral movement within your network. Network segmentation can help contain the impact of a breach.
• Implement continuous monitoring solutions to detect unusual or unauthorized activities on your web servers and payment processing systems. Look for signs of unauthorized access, data exfiltration, or unusual patterns of traffic.
• Conduct regular security audits and penetration testing to identify and address weaknesses.
• Encrypt sensitive customer and investor data both in transit and at rest to prevent unauthorized access in case of a breach.
• Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.