In the spotlight this week:
Threat intelligence firm Gemini Advisory discovered that the “Keeper” Magecart group (which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains) has targeted over 570 e-commerce sites in 55 different countries. Over 85% of the victim sites operated on the Magento CMS which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide.
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. The toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.
The security F5 BIG-IP hole has been described as a critical remote code execution vulnerability that can be exploited to take complete control of a system. The issue is related to the Traffic Management User Interface (TMUI) configuration utility.
JUL 9, 2020 | WastedLocker Goes "Big-Game Hunting" in 2020
After initially compromising corporate networks, the attacker behind WastedLocker performed privilege escalation and lateral movement prior to activating ransomware and demanding a ransom payment. The deployment of "dual-use" tools and "LoLBins" enabled adversaries to evade detection and stay under the radar as they further operated toward their objective in the corporate environment.
WastedLocker is one of the latest examples of the continued use of lateral movement and privilege escalation to maximize the damage caused by ransomware. The use of "big-game hunting" continues to cause significant operational and financial damages to organizations around the globe.
JUL 9, 2020 | More Evil: A deep dive into Evilnum and Its Toolset
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against fin-tech companies. Although Evilnum has been seen in the wild at least since 2018 and documented previously, little has been published about the group behind it and how it operates. The group targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom homemade malware combined with tools purchased from Golden Chickens, a MaaS provider whose infamous customers include FIN6 and Cobalt Group.
JUL 7, 2020 | 'Keeper' Hacking Group Behind Hacks at 570 Online Stores
Hackers who go by the name of “Keeper” accidentally leaked more than 184,000 stolen cards through an improperly secured backend server. The Keeper gang broke into online store backends, altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers in checkout forms.
These types of attacks are known among the cyber security community as “web skimming”, “e-skimming”, or "Magecart" intrusions (named so after the first hacker group that used these tactics). In a report published by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating since at least April 2017 and continues to operate to this day.
JUL 7, 2020 | Feds Indict 'fxmsp' in Connection with Million-Dollar Hacking Operation
The U.S. Department of Justice has charged a man with hacking-related crimes as part of an investigation into a group of foreign scammers accused of targeting more than 300 organizations throughout the world.
Prosecutors in the Western District of Washington charged Andrey Turchin, with five felony counts in connection with a year-long fraud effort. Last known to be in Kazakhstan, Turchin allegedly sold remote access hacking tools on cybercriminal forums, typically charging tens of thousands of dollars for access to data valued at tens of millions of dollars.
Turchin went by a series of aliases, including “fxmsp,” according to the Justice Department. He was initially charged in December 2018, though the indictment was kept under seal until this week, one month after security vendor Group-IB released its own research documenting the work of a hacker known by the “fxmsp” alias.
JUL 6, 2020 | BIG-IP Vulnerability Exploited to Deliver DDoS Malware
CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By the 3rd of July 2020, NCC Group observed active exploitation. This situation is still developing.
Hackers continue to exploit the recently-patched BIG-IP security flaw, with plenty of potential targets as researchers have identified thousands of vulnerable systems.
The security hole has been described as a critical remote code execution vulnerability that can be exploited to take complete control of a system. The issue is related to the Traffic Management User Interface (TMUI) configuration utility. An attacker who has access to this utility can exploit the weakness to create or delete files, disable services, intercept data, and run arbitrary code or commands.
Proof-of-concept (PoC) exploits and technical information were made public for CVE-2020-5902 shortly after its disclosure and the first exploitation attempts were observed soon after. The vulnerability is easy to exploit and experts have pointed out that the entire exploit fits in a tweet.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.