executive summary
The holiday season brings increased online shopping, but it also attracts threat actors seeking to take advantage of unsuspecting shoppers. This week, we'll explain "Silent Skimming" a financially motivated campaign that targets online payment businesses. This campaign primarily victimizes online businesses and point-of-sale service providers, as well as their consumers.
Given the increased online shopping during the holiday season, it's important to understand how threat actors exploit individuals who may be unaware of such activities. Let’s dive into Silent Skimming and help you stay informed and secure during this holiday season.
silent skimming
Silent Skimming or Silent Skimmer is an active campaign discovered by BlackBerry that has existed for over a year. The campaign is financially motivated and targets online payment businesses, specifically focusing on online businesses and point-of-sale (POS) service providers. As of now, targets include online payment businesses in the Asia-Pacific, North America, and Latin America regions.
BlackBerry is attributing the campaign to a threat actor who knows the Chinese language. The threat actor behind the campaign deploys payment scraping mechanisms to extract sensitive financial data from users. The targeted industries are diverse but are generally industries that host or create payment infrastructure.
HOW DOES SILENT SKIMMING WORK?
The attack method involves exploiting internet-facing applications for initial access and deploying various tools to escalate privileges, execute code, and gain remote access. The threat actors behind the most recent Silent Skimming campaign have been exploiting a .NET deserialization vulnerability, tracked as CVE-2019-18935, in the Progress Telerik UI for ASAP.NET AJAX since May 2023. This vulnerability allows them to execute malicious DLL code remotely on targeted servers.
Once initial access is gained, the attackers deploy an array of tools hosted on an attacker-controlled HTTP File Server. These tools include downloader scripts, remote access scripts, webshells, exploits, and Cobalt Strike beacons. In the final stage, user information such as billing and credit card details is exfiltrated using Cloudflare.
Image 1: Tools
|
Tool:
|
ITW Tool Name:
|
Purpose:
|
|
BadPotato
|
bpo.exe
|
Privilege Escalation
|
|
Godzilla Webshell
|
bypass.aspx
|
Remote Code Execution
|
|
PowerShell RAT
|
client111.ps1
|
Remote Access
|
|
SharpToken
|
ConfusedToken.exe
|
Privilege Escalation
|
|
GodPotato
|
GodPotato-NET4.exe
|
Privilege Escalation
|
|
Juicy Potato
|
j.exe
|
Privilege Escalation
|
|
HTML Application
|
MsMsp.hta
|
Downloader/Stager
|
|
Cobalt Strike Beacon
|
scvhost.exe
|
Post Exploitation
|
|
SweetPotato
|
SPO.exe
|
Privilege Escalation
|
Source: BlackBerry
ATTACK VECTOR
Let’s break down the attack vector for the Silent Skimming campaign:
Target Selection:
- The threat actor focuses on vulnerable web applications for opportunistic exploitation.
- The identified victims so far have been individual websites.
Tools Used:
- The group utilizes tools developed by a GitHub user named ihoney.
- These tools include a port scanner and an implementation of CVE-2019-18935.
Exploiting Telerik UI Vulnerability (CVE-2019-18935):
- The campaign leverages a known vulnerability (CVE-2019-18935) present in the Telerik UI software.
- This vulnerability was previously used by the advanced persistent threat (APT) group HAFNIUM and suspected Vietnamese crimeware actors XE Group.
Initial Payload:
- The initial payload is a .NET assembly DLL generated using ihoney's implementation of CVE-2019-18935.
Exploitation Process:
- Exploiting CVE-2019-18935 can lead to remote code execution (RCE).
- The attacker uploads the DLL to a specific directory on the target server, dependent on the web server having write permissions.
- The DLL is then loaded into the application using an exploit that takes advantage of insecure deserialization.
Insecure Deserialization:
- Insecure deserialization is a vulnerability where untrusted or unknown data can be used maliciously.
- This vulnerability can result in a variety of attacks, including DDoS attacks, executing malicious code, bypassing authentication, or abusing the logic of a legitimate application.
Execution of Malicious DLL:
- The malicious DLL aims to abuse the Windows-native binary Mshta.exe.
- It executes an HTML Application (HTA) named MsMsp.hta directly from the IP address 52[.]253[.]105[.]171.
- The HTA file, hosted on the IP address 52[.]253[.]105[.]171, is actually a VBScript.
In simpler terms, the attackers target websites with known vulnerabilities, use tools to exploit these weaknesses, and specifically take advantage of a Telerik UI software flaw. They deploy a sneaky DLL through a tricky process, exploiting insecure deserialization, and ultimately execute a malicious HTML application to carry out their skimming activities.
The threat actors then use VBScript to transfer control to PowerShell, leveraging the server.ps1 RAT. This RAT establishes a connection to a hardcoded C2 server, providing the threat actor with control over the compromised system. The C2 server operates as an HTTP file server hosting a diverse set of tools for post-exploitation, allowing the attackers to perform various malicious actions on the compromised server.
attribution
There are a few reasons why the researchers at BlackBerry believe that Silent Skimmer campaign is the work of a threat actor based in Asia. Firstly, there is proof that the threat actor knows Chinese based on the language they use in their code. This is evident in the simplified Chinese used in the PowerShell RAT code and the association with a GitHub repository linked to Chinese-speaking developers.
Secondly, geographical cues play a role in attribution, as the attacker's C2 server is located in Asia, particularly Japan. Additionally, the strategic deployment of Virtual Private Servers (VPS) tailored to the target's location, such as using a Canadian-based VPS for attacks on Canadian businesses, hints at a sophisticated understanding of regional contexts. The dynamic adaptation of network infrastructure based on victim geolocation suggests a high level of technical expertise.
The campaign's expansion over a year, initially concentrating on the Asia-Pacific region and later including North America, implies a persistent and evolving threat. The targeting strategy, focusing on vulnerable web applications across diverse industries involved in payment infrastructure, highlights the threat actor's adaptability rather than a narrow industry-specific approach.
blacksuit and zeon
Although not directly related, Avertium's intelligence partner, RedSense, reports that two post-Conti groups closely align with the tactics and motives of the Silent Skimming campaigns in their attack strategies, BlackSuit and Zeon.
BLACKSUIT
BlackSuit, a rebranding of the Royal ransomware group, focuses on institutions possessing valuable financial and informational assets. The group has used compromised software source codes in their targeting of the retail sector, mirroring the tactics observed in 2019 when Amiak took control of POS Merchant servers belonging to a Canadian POS merchant and software provider. Amiak achieved this through the exploitation of MSSQL and RDP access points.
The group also has former members of the Ryuk and REvil ransomware group within their current operation, as well as the threat actors responsible for the attack on Costa Rica, Dallas, and Southwest Airlines. Black Suit’s emphasis on data exfiltration and encryption suggests a likelihood of third-party attacks targeting retail entities.
ZEON
Advanced Intelligence also stated that the threat actor Zeon has utilized a modified version of legitimate software to develop a new reverse proxy spam engine called ZProxy. ZProxy is a tool designed for generating phishing pages to gather user data, which the operator subsequently inputs into the authentic website. This method allows the operator to bypass 2FA protections, facilitating the collection and storage of user data.
The intended use of ZProxy involves employing it as a "man-in-the-middle" technique to initiate sessions and capture payment data. Information from RedSense's primary source intelligence indicates that the group aims to employ ZProxy for upcoming financial fraud activities, mirroring the Silent Skimming techniques outlined in this report.
stay vigilant this holiday season
CONSUMERS
The threat actor behind the Silent Skimming/Silent Skimmer campaign mainly targets local payment websites, exploiting common tech weaknesses to grab sensitive payment data without permission. This puts the average holiday online shopper at risk. Stay safe this season by adhering to these recommendations:
- Use Reputable Websites: Shop from well-known and reputable online retailers. Be cautious of unfamiliar sites, especially if they offer deals that seem too good to be true.
- Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA for your online accounts. This adds an extra layer of security by requiring a second form of verification.
- Check for HTTPS: Before entering any sensitive information, make sure the website's URL starts with "https://". The "s" indicates a secure, encrypted connection.
- Use Trusted Payment Methods: Stick to well-known and secure payment methods. Avoid entering credit card details on unfamiliar or suspicious websites.
- Be Skeptical of Emails and Links: Avoid clicking on links or downloading attachments from unsolicited emails. Scammers often use phishing emails to trick users into revealing sensitive.
ONLINE BUSINESSES
The Payment Card Industry Data Security Standard (PCI DSS) establishes security requirements for organizations handling payment card data. Compliance with PCI DSS Requirement 6.5 focuses on addressing vulnerabilities within third-party applications and component integrations.
One way organizations can help safeguard customers’ payment information is via Avertium’s Governance, Risk, and Compliance (GRC) service. GRC services help organizations identify, assess, and prioritize risks, including those posed by cyber threats like silent skimming. This proactive approach allows organizations to understand the potential impact of such threats on their operations and take preventive measures.
Also, GRC services assist organizations in staying compliant with relevant regulations and standards. In the case of silent skimming, adherence to data protection and payment card industry standards is important. GRC tools provide frameworks to ensure that organizations meet these compliance requirements, reducing the risk of legal and financial consequences.
- Avertium simplifies Governance, Risk, and Compliance (GRC) by providing contextual understanding instead of unnecessary complexity. With our cross-data, cross-industry, and cross-functional expertise, we enable you to meet regulatory requirements and demonstrate a robust security posture without any vulnerabilities. Our GRC services include:
- Cyber Maturity
- Compliance Assessments and Consulting
- Managed GRC
How Avertium is Protecting Our Customers
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from attack campaigns like Silent Skimming:
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
- Risk Assessments
- Pen Testing and Social Engineering
- Infrastructure Architecture and Integration
- Zero Trust Network Architecture
- Vulnerability Management
- Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers
MITRE MAP
Resource Development
- T1588 - Obtain Capabilities: Tool
- T1608.002 - Stage Capabilities: Upload Tool
Initial Access
- T1190 - Exploit Public-Facing Application
Execution
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
Discovery
- T1033 - System Owner/User Discovery
- T1083 - File and Directory Discovery
Defense Evasion
- T1218.005 - System Binary Proxy Execution: Mshta
- T1070.006 - Indicator Removal: Timestomp
- T1036.005 - Masquerading: Match Legitimate Name or Location
Persistence
- T1505.003 - Server Software Component: Web Shell
Privilege Escalation
- T1134 - Access Token Manipulation
- T1068 - Exploitation for Privilege Escalation
Command-and-Control
- T1105 - Ingress Tool Transfer
- 001 - Application Layer Protocol: Web Protocols
- T1573.001 - Encrypted Channel: Symmetric Cryptography
- T1090 - Proxy
Exfiltration
- T1041 - Exfiltration Over C2 Channel
INDICATORS OF COMPROMISE
Hashes
- ae89f5aa5c2dc71f4d86d9018000e92940558f3e5fe18542f48dea3b607c7d3b
- 1afd47f1e914bde661778966334270c4e3c47b88cbad8ca24babbe1220ac2204
- 810b0ff0eebadc4d7f0c44f1d321121d55a477bd1a92d1ec89314a81b4c3601f
Hostname
- www[.]krispykreme[.]one
- tk[.]tktktkcscscs[.]com
- cdn[.]nigntboxcdn[.]com
URLs
- hxxps://cdn[.]nigntboxcdn[.]com/Nigntboxcdngetdata[.]php.
- hxxp://www[.]krispykreme[.]one/Check[.]ashx
Supporting Documentation
RedSense, (2023, November 8). Monthly Threat Briefing | October 2023 [PowerPoint slides]. Redsense.com
Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA (blackberry.com)
Silent Skimmer: A Year-Long Web Skimming Campaign Targeting Online Payment Businesses (thehackernews.com)
Understanding Skimming and How to Prevent It (flagright.com)
Silent Skimmer: The Rising Threat in Card-Skimming Attacks - Security Boulevard
What is PCI DSS? Requirements & How to Comply (itgovernance.co.uk)
Payment Card Industry Data Security Standard (pcisecuritystandards.org)
Chinese Hackers Target North American, APAC Firms in Web Skimmer Campaign - SecurityWeek
Online payment firms subjected to extended web skimming attack | SC Media (scmagazine.com)
Latest evolution of ‘pig butchering’ scam lures victim into fake mining scheme – Sophos News
Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA - AlienVault - Open Threat Exchange
Chinese Silent Skimmer Attack Hits APAC and NALA Online Payment Firms (hackread.com)
APPENDIX II: Disclaimer
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
