440+ Online Shops Hacked to Install Credit Card Stealing Malware
Threat actors have been identified to have compromised more than 440+ online merchants to steal customers’ credit card or payment data. It has been discovered that threat actors have been using the digital sniping technique to steal these data.
However, all the merchants have been notified about this compromise and recommended to take necessary actions to prevent these attacks. Europol and Group-IB have acted together alongside ENISA and EMPACT in gathering the threat intelligence data for this operation.
According to the reports shared with Cyber Security News, the threat intelligence data gathered about this Digital Skimming attack revealed that threat actors have been using JavaScript sniffers on compromised websites to collect payment data.
23 Detected sniffer families were found, inclusive of ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries in the European Union, including Colombia, Croatia, Finland, Germany, Georgia, Hungary, Moldova, Netherlands, Poland, Romania, Spain, United Kingdom, and the United States.
Digital Skimming goes unnoticed for a long period as the collected data could be used by threat actors by any means. Most often, they are sold in Darknet marketplaces, which are then used by other underground cybercriminals for illicit transactions.
Moreover, Customers and Merchants cannot know that their data was compromised unless an illegal transaction has been made. This operation was conducted after several information was collected about the threat actors.
The collected threat intelligence data comprises infected websites, detected malware signatures, the extracted domains, gates, and URLs used by attackers to collect data or load other malware, as well as instructions on where to find the malware used to launch digital skimming attacks.
Furthermore, a completereport about this operation has been published, providing detailed information about the operations, actions, and other information.
Holiday Season Cyber Alert: Reflectiz Declares War on Magecart
Reflectiz, a cybersecurity company specializing in continuous web threat management, offers an exclusive, fully remote solution to battle Magecart web-skimming attacks, a popular cyberattack involving injecting malicious code into the checkout pages.
As the Holiday Season approaches, online retailers face the challenge of protecting their websites against the growing threat of malicious attacks, such as Magecart. However, they struggle to add new security layers due to restrictions on modifying their website code to avoid impacting website performance during the peak shopping season.
Reflectiz, a unique web security tool, ensures 100% readiness for Magecart attacks before and during the Holiday Season.
This is made possible by Reflectiz’s external, non-intrusive solution, which requires no code implementation or IT resources. Your website(s) will be fully protected within days, and there will be no impact on your website’s performance.
Reflectiz automatically detects third-party code changes, keylogging, and communication with malicious domains to prevent Magecart web-skimming attacks. It overcomes the most sophisticated malware obfuscation techniques, lets you track changes, prioritize issues, and implement alerts according to their severity level, empowering you to act before the damage is done.
Despite being so powerful, Reflectiz does not affect website performance. It has zero impact on your IT resources and requires no installation on the client. It begins protecting your web assets within days, ensuring continuous monitoring of all crucial and sensitive web pages, not just checkout pages.
“Reflectiz understands the challenges faced by online retailers during this busy time of the year. In fact, in 2023, Reflectiz detected Magecart attacks on more than 150 websites, and the count is still rising. Our advanced technology enables the automatic detection of sophisticated threats throughout your entire online environment, all with quick and easy external implementation. You will be up and running within days” – Ysrael Gurt, Co-founder & CTO, Reflectiz.
Sign up for our exclusive offer today, and get the ideal head start in the war on Magecart.
Hackers Hijacking Web Server To Deploy z0Miner Malware
[[{“value”:”
The threat actor, who goes by the name “z0miner,” has been found to be attacking Korean WebLogic servers to distribute malware like miners, network tools, and scripts for attacking further.
This threat actor has a history of attacking vulnerable servers such as Atlassian Confluence, Apache ActiveMQ, Log4j, and many more.
Researchers at Tencent first discovered this threat actor in 2020. The “z0miner” threat actor is well-known for exploiting CVE-2020-14882 and CVE-2020-14883 against Oracle WebLogic servers.
However, according to ASEC researchers, their latest targets were Korean WebLogic servers, and several traces of tools such as FRP (Fast Reverse Proxy), NetCat, and AnyDesk were present.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
Technical Analysis
According to reports shared with Cyber Security News, the threat actor exploited these Korean WebLogic servers due to poor security configuration and the widespread exposure of server information.
The threat actor could discover the Tomcat version and server version of these servers.
Once this information was gathered, the threat actors used several tools, such as WebShell, FRP, and NetCat, to further exploit it.
Exploited servers (Source: AhnLab)
Exploitation Methods
WebShell
The threat actor utilized the WebLogic vulnerability CVE-2020-14882 to upload a JSP webshell on the vulnerable system, enabling persistence and control over the system.
Three webshells, such as JSP file Browser, Shack2, and Behinder, were deployed. Moreover, none of these webshells were detected by anti-malware products.
Webshell (Source: AhnLab)
Fast Reverse Proxy (FRP)
This tool was used for RDP (Remote Desktop Communication) protocol communication. Additionally, both the default frpc as well as a customized version were used.
The default frpc loads a settings file in the *.INI form and attempts the connection, while the customized frpc can be run without using an individual file.
FRP Download (Source: AhnLab)
NetCat
Netcat is capable of reading and writing data over a network connection and has been found in many webshells.
The tools provide a remote shell feature, which allows them to bypass the firewall and get control over the targeted system.
Netcat implemented as “userinit.exe” ((Source: AhnLab)
Miner (XMRig)
The versions of XMRig used by z0miner are different for Windows and Linux. XMRig 6.18.0 was used in Windows, and 6.18.1 was used for Linux.
To establish persistence with Miner, the threat actor used the Task Scheduler (schtasks) or WMI’s event filter and configured it to read a PowerShell script from a certain Pastebin address and execute it.
XMRig (Source: AhnLab)
The threat actor also used the Monero Wallet and Mining Pool address.
AnyDesk was also one of the tools used by the threat actor as part of the webshell but only used in cases where the Apache ActiveMQ vulnerability (CVE-2023-46604) is exploited.
(Korean web servers exploited and used as download servers are shown only on TIP.)
107.180.100[.]247:88
15.235.22[.]212:5690
15.235.22[.]213:59240
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.