Exploit Brokers

Magecart skimmer on Amazon, GoldBrute Botnet & GateHub wallet hacked

Podcasts / by / Leave a Comment

Hey, guys welcome back for another episode of Exploit Brokers Hacking News!

Lets login.

Magecart Skimmers on Amazon

We had previously in episode HN02 gone over Magecart infecting the popular magazine Forbes’s subscription website.

Well now, according to Malwarebyte’s article, “Magecart skimmers found on Amazon CloudFront CDN”, it appears that the E-commerce giant Amazon has a similar problem. Magecart’s skimmers were found on Amazon’s CDN CloudFront.

For my listener news to the show or to the web tech, a CDN or content delivery network is a way to speed up delivering resources when you request a website. Think multiple warehouses ready to deliver something to you as soon as possible as quickly as possible when you order from an online store. The closest store to you that has the item in stock will ship it to reduce the time needed to get to you. CDNs work the same.

The article explains that JavaScript libraries hosted on Amazon CloudFront were injected with web skimmers that were added on and obfuscated. The malware is injected into various JavaScript files in an attempt to broaden the malware’s reach as far as possible. The article also shows two examples, one where the malware is injected into multiple JavaScript files within the same folder or directory and another where the malware is at the end of the actual JavaScript code and has been obfuscated to make it harder to detect and reverse engineer.

The malware is using hex and Base64 encoding to hide the payload itself or the main malware code and the exfiltration mechanism pointing to “cdn-imgcloud dot com”. The stolen info is also reportedly encoded before being sent back to the hacker group over the wire.

According to the article, the following domains are strong signs that a compromised library or malware has infected a system:

  • ww1-filecloud dot com or 45.114.8 dot 159
  • cdn-imgcloud dot com or 45.114.8 dot 160
  • font-assets dot com or 45.114.8 dot 161
  • wix-cloud dot com 45.114.8 dot 162
  • js-cloudhost dot com 45.114.8 dot 163

Malwarebytes also mentions that their users are already protected against these skimmers and continue to find new threads daily.

Conclusion:

So the malware is being spread as far and as wide as possible in hopes of farming useful information, payment credentials, logins, etc. This compromise is just the latest in a series of attack by Magecart. It would be worth noting what their next target or attack vector will be once we find out more.

src: https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/

Goldbrute botnet

In a recent report by researchers at SANS ISC named, “GoldBrute Botnet Brute Forcing 1.5 Million RDP Servers”, a new botnet is threatening RDP servers.

So some of you may be familiar with the RDP or remote desktop protocol and some of you may use it while working. Well, a recent vulnerability, CVE-2019-0708, was patched by Microsoft but that hasn’t stopped attacks from sniffing for the vulnerability to exploit unpatched servers. This vulnerability has been given the nickname “Bluekeep” and to hopefully shed light on the severity, it appears even the NSA is urging people to apply the patch.

The botnet is brute-forcing around 1.5 million RDP servers that are accessible by the internet. Shodan shows about 2.4 million vulnerable servers and GoldBrute is using its own list and continues to add to it.

There is currently only one command and controller or C&C server located at IP 104.156.249 dot 231. The bots are using port 8333 to exchanged AES encrypted data. The infection also follows an infection outline as follows:

  1. First, the infected server downloads the bot program. The program is around 80 MegaBytes and includes a JRE or Java Runtime Environment.
  2. The Bot then starts scanning IP addresses to send back to the C&C server
  3. Once the bot reaches 80 reported vulnerable machines, then it is given a list of machines to brute force

Two interesting details to note about this bot are that each bot only tries one username and password per target and the bot itself has a Java class named GoldBrute which indicates how it got its name.

The report also says that strong Indicators of Compromise are a file name bitcoin.dll and references to either 104[.]248[].167[.]114 the zip payload IP or port 8333 on 104[.]156[.]249[.]231 the Command and control server.

src: https://isc.sans.edu/forums/diary/GoldBrute+Botnet+Brute+Forcing+15+Million+RDP+Servers/25002/

GateHub Cryptocurrency Wallet Hacked

So if any of you guys are into Cryptocurrency I have news and if you aren’t into cryptocurrency well I still have news. According to tripwire’s article, “Cryptocurrency wallet GateHub hacked nearly $10 million worth of Ripple (XRP) stolen”.

According to the article, gatehub released a preliminary statement noting that over 100 customer’s wallets have had the funds stolen. The statement also reports beginning to monitor network activity and beginning an investigation.

The article also mentions a report that claims that about 23.2 million Ripple or about $9.7 million has been stolen from somewhere between 80 and 90 GateHub accounts.

It appears the attack did not involve brute-forcing accounts and the attacks flew mostly under the radar. The only notable thing GateHub has noted is that there has been an increase in API calls.

The valid API calls included valid access tokens and the understood theory is that the attackers were somehow able to access or steal encrypted secret keys to make valid API calls.

So for my listeners who may not understand the idea of secret keys or API calls I’m gonna explain it quick and simple.

A secret key is essentially a digital key to a digital lock that only the key can open. If an attacker steals the key they can unlock the lock.

An API stands for Application Programming Interface and it allows a program, in this case, the wallet, to ask the main system to do something. An API is just a way to accept requests from programs the same way you can browse to a website and send requests for the system to do something.

Now that we have explained that, it appears that the best course of action is to make sure your wallets are not located at the central server and always try to look into cryptocurrency best practices.

src: https://www.tripwire.com/state-of-security/featured/cryptocurrency-wallet-gatehub-hacked/

FIN8 Hackers Return

So some of you may be aware of a hacking group by the name FIN8 that fell off the radar about 2 years ago in 2017. Well according to a new article by ZDNet, “FIN8 hackers return after two years with attacks against hospitality sector”, the infamous group is back.

The last known report about FIN8 hacks was back in 2017. If you have seen FIN hacker group that is a separate group that only sounds similar, from what is known.

To give you a quick catch up, the FIN8 group used spear-phishing, a target phishing attack, and a zero-day in Windows to infect retailers in the US with the ShellTea backdoor. Once the backdoor was in place they later came in and installed PoSlurp malware to steal payment info from the point of sale system.

Well, a recent report by Morphisec states they detected and stopped a new FIN8 attack that was targeted toward hospitality businesses. The new attacks appear to have leveled up compared to before. FIN8’s malware has received a major upgrade in evasion and persistence functionality.

There appears to be some overlap with another similarly named hacker group FIN7 and the article mentions that there have been previous intersections between FIN6, FIN7, and FIN8 before.

The article does present the idea that the groups are different because current cybercrime has access to rentable resources, services, and hackers for hire.

Now I would like to shed some light on this.

There have been multiple forums, websites, and other avenues such as IRC that have allowed individuals to rent or buy anything from botnets to malware. So I do agree that this may be a serious of unrelated hackers with similar suppliers but I question this because of the newer and improved malware the FIN8 group is sporting. This could be a coincidence and the idea of a merchant, all be it a criminal merchant, updating their software to include newer, better, and improved functionality is actually close to reality.

src: https://www.zdnet.com/article/fin8-hackers-return-after-two-years-with-attacks-against-hospitality-sector/

Conclusion

So guys to conclude this episode and a quick review. We have Magecart infecting Amazon’s Cloud Delivery Network with credit card skimmers. We also have a new brute force attack by the name GoldBrute attempting to use Remote Desktop Protocol or RDP to build a botnet. If you have cryptocurrency wallets in the cloud it may be time to rethink it and if you had ripple its wise to be on the lookout over the recent GateHub breach. Lastly, if you have a point of sale be careful and look up more information because FIN8 has returned with stronger malware and is targeting Point of Sale systems in the hospitality industry.

That wraps up another episode of Exploit Brokers Hacking New. The show notes can be found at exploitbrokers.com/podcasts/hn04. This has been your host Lauro, signing off until next time.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *