Beware: North American Websites Under Attack by Payment Card-Skimming Campaign

Silent Skimmer Campaign Expands: Chinese-Speaking Threat Actor Targets North and Latin America

In a concerning development, a Chinese-speaking threat actor that has been actively targeting ecommerce sites and point-of-sale service providers in the Asia/Pacific region for over a year has now broadened its scope to include North and Latin America. The adversary, known as the “Silent Skimmer” campaign, has been exploiting vulnerabilities in web applications to gain access to payment pages on these sites and drop malware designed to steal credit card numbers.

The Growing Threat of Card-Skimming Attacks

Card-skimming attacks, while not new, continue to pose a significant threat to online shoppers. A notorious group of hacking organizations known as Magecart has been successfully stealing payment card data from millions of online shoppers worldwide. These threat actors typically target vulnerabilities in third-party software components and inject malicious code into them. In recent years, hundreds of thousands of ecommerce sites, including well-known brands like British Airways, Ticketmaster, and Newegg, have fallen victim to Magecart attacks.

The Tactics of the Silent Skimmer

The Silent Skimmer campaign, discovered by researchers from BlackBerry, is notable for its technical complexity and the indications of an advanced or experienced threat actor behind it. The campaign leverages vulnerabilities in web-facing applications, with many victim sites hosted on Microsoft’s Internet Information Services (IIS) Web server software.

One particular vulnerability exploited by the threat actor is CVE-2019-18935, a critical remote code execution bug in Telerik UI, a suite of web development tools. Notably, this vulnerability has also been used by other prominent groups such as China’s Hafnium and Vietnam’s XE Group.

To gain initial access to websites, the threat actor uploads a malicious dynamic link library (DLL) to a specific directory on the compromised web service. The DLL then initiates a series of steps to install credit and debit card-skimming malware on the website.

Advanced Techniques and Tooling

The Silent Skimmer campaign demonstrates the threat actor’s technical proficiency through the use of multiple tools for privilege escalation, remote access, remote code execution exploits, malware staging and downloading, and post-exploit activities. Additionally, the threat actor has made use of legitimate open source tools, binaries, and scripts, which have become increasingly common in modern malware campaigns.

Notably, the threat actor behind the Silent Skimmer campaign has adjusted its command-and-control (C2) infrastructure based on the geolocation of the victims. To blend in with normal traffic, the threat actor employs virtual private servers (VPS) located in the same region or country as the victim, typically on Microsoft’s Azure platform. Each C2 server remains online for less than a week, adding to the complexity of tracking and attribution.

Internet Security and Recommendations

The expansion of the Silent Skimmer campaign into North and Latin America highlights the pressing need for enhanced internet security measures across organizations. Here are some recommendations to mitigate the risk of falling victim to such attacks:

1. Regularly Update Web Applications and Software Components

Vulnerabilities in web applications and third-party software components are a common entry point for attackers. Organizations should prioritize keeping their software up to date, applying patches and security updates promptly to minimize the risk of exploitation.

2. Implement Strong Access Controls and Least Privilege Principles

Restricting access to critical systems and data is crucial to prevent unauthorized access. Organizations should follow the principle of least privilege, granting users only the necessary permissions to perform their duties. Employing multi-factor authentication and monitoring user activities can further strengthen access controls.

3. Conduct Regular Vulnerability Assessments and Penetration Testing

Regularly assessing the security posture of websites and web applications through vulnerability scanning and penetration testing can help identify and remediate potential weaknesses before attackers exploit them. Engaging cybersecurity professionals or using automated tools can assist in this process.

4. Monitor and Analyze Network Traffic for Anomalies

Implementing robust network monitoring and intrusion detection systems can help identify suspicious activities and anomalous network traffic indicative of a potential attack. Organizations should establish baselines of normal network behavior and leverage threat intelligence to detect known attack signatures.

5. Educate Employees on Cybersecurity Best Practices

Human error often serves as an entry point for attackers. Organizations should conduct regular cybersecurity awareness training to educate employees about the latest threats, phishing techniques, and safe online practices. Encouraging a security-conscious culture can empower employees to identify and report potential security incidents.

The Silent Skimmer campaign serves as a stark reminder that cyber threats continue to evolve and expand across borders. Organizations must remain vigilant, proactively implementing robust security measures, and staying informed about emerging threats to protect their customers’ sensitive information and maintain trust in the digital ecosystem.