Silent Skimmer Group Attacking Online Shopping Websites
The “Silent Skimmer” is a financially motivated group that has been detected targeting vulnerable online payment infrastructure, such as online businesses and Point of Sales (POS) providers.
They are mostly active in the Asia-Pacific (APAC) area. Utilizing flaws, the attacker hacks web servers and gains initial access. The final payload uses payment scraping techniques to collect consumers’ sensitive financial information from hacked websites.
The threat actor appears to be skilled in Chinese, according to information found by the BlackBerry Threat Research and Intelligence team, and they are most active in the Asia-Pacific (APAC) area and have several victims across North America.
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
Tactics, Techniques, And Procedures (TTPs) Used In This Attack
Web applications, especially those hosted on Internet Information Services (IIS), are vulnerable to attacks by the campaign operators. Their main goal is to hack the payment checkout page and steal critical payment information from users.
“Once the attacker has obtained initial access to the web server, they deploy various tools and techniques, including open-source tools and Living Off the Land Binaries and Scripts (LOLBAS),” according to the information shared with Cyber Security News.
HTTP File Server hosting the threat actor’s toolkit for malicious post-exploitation actions
Researchers say the group uses tools created by GitHub user ihoney, including a port scanner and an implementation of CVE-2019-18935, a vulnerability that was previously exploited by the advanced persistent threat (APT) group HAFNIUM and the suspected Vietnamese crimeware actors XE Group.
Remote code execution (RCE) may occur as a result of CVE-2019-18935 exploitation.
Particularly, reports mention that at least five Privilege Escalations, one Remote Code Execution (RCE), one Remote Access, one Downloader/Stager, and one Post Exploitation tool are all utilized by this campaign.
The payload runs the code to deploy a PowerShell script, a RAT (remote access tool), which may carry out a variety of tasks, including gathering system data, looking up, downloading, uploading relevant files, connecting to a database, etc.
objectives pursued by this PowerShell RAT
This RAT connects to a server containing various tools, including a Fast Reverse Proxy tool that enables attackers to reveal local servers from behind a NAT, remote access scripts, downloader scripts, webshells, Cobalt Strike beacons, and exploits.
Final Thoughts
The “Silent Skimmer” initiative aims to find and exploit weak web applications worldwide. Perhaps the threat actor is actively looking for new and larger targets as a result of their recent success.
“Traditionally, some servers have been noted to lack the modern security technologies currently available for traditional endpoints,” researchers said.
“That makes them an attractive target for attackers, especially considering they are easier to maintain persistence on, and bearing in mind the sensitive type of data they process, specifically payment information.”
Researchers believe that in the future, we should expect further attacks against systems like these in the same and other places.
Breaking Down AD CS Vulnerabilities: Insights for InfoSec Professionals
The most dangerous vulnerability you’ve never heard of.
In the world of cybersecurity, vulnerabilities are discovered so often, and at such a high rate, that it can be very difficult to keep up with. Some vulnerabilities will start ringing alarm bells within your security tooling, while others are far more nuanced, but still pose an equally dangerous threat. Today, we want to discuss one of Read More