A Chinese-speaking threat actor that has been targeting ecommerce sites and point-of-sale service providers in the Asia/Pacific region for over a year has expanded its activities to North and Latin America. This recent shift in focus has caught the attention of cybersecurity researchers who have dubbed the campaign “Silent Skimmer.”
According to BlackBerry researchers, the threat actor has been exploiting vulnerabilities in web applications to gain unauthorized access to the targeted sites. In particular, they have taken advantage of a vulnerability that has also been used by China’s Hafnium group in previous cyber espionage campaigns. Once inside, the attackers aim to compromise the payment pages of these sites and deploy malware designed to steal credit card information from online shoppers.
While card-skimming attacks are not new, this latest campaign has raised concerns due to its technical complexity, leading researchers to speculate that an advanced and experienced threat actor may be behind it. Over the years, various hacking groups collectively known as Magecart have successfully carried out similar attacks, stealing payment card data from millions of online shoppers worldwide. Magecart attackers often target vulnerabilities in third-party software components and inject malicious code into them.
The Silent Skimmer campaign, however, appears to be opportunistic in nature. The threat actor takes advantage of vulnerabilities in web-facing applications, with many of the targeted sites hosted on Microsoft’s Internet Information Services (IIS) Web server software. In particular, the attackers have exploited a critical remote code execution bug known as CVE-2019-18935 in Telerik UI, a suite of web development tools. This vulnerability has also been utilized by other threat groups, including Hafnium and Vietnam’s XE Group.
Once they gain access to the target web service, the threat actors upload a malicious dynamic link library (DLL) to a specific directory and subsequently install credit card skimming malware on the compromised website. To carry out their activities, the attackers employ various tools for privilege escalation, remote access, remote code execution, malware delivery, and post-exploit activities. Interestingly, they rely on legitimate open-source tools, binaries, and scripts, which is a common trend in modern malware campaigns.
One notable aspect of the Silent Skimmer campaign is the attacker’s skill in adjusting their command-and-control (C2) infrastructure based on the geolocation of their victims. To avoid detection, the threat actor uses virtual private servers (VPS), often hosted on Microsoft’s Azure platform, as C2 servers for newly acquired targets. These C2 servers are frequently online for less than a week and are located in the same region or country as the victim. By blending their traffic with normal network activity, the attackers make it more difficult for security teams to detect their malicious activities.
As the Silent Skimmer campaign expands its targeting to North and Latin America, it emphasizes the need for enhanced security measures and vulnerability management practices across ecommerce sites and point-of-sale service providers. Organizations should regularly patch their systems, monitor for suspicious activities, and deploy robust security solutions to protect customer payment data. Additionally, educating users about the risks of online transactions and reminding them to use secure payment methods can help prevent falling victim to these types of attacks.
Overall, the Silent Skimmer campaign serves as a reminder that card-skimming attacks continue to pose a significant threat to the security of online transactions. Both individuals and organizations must remain vigilant in protecting sensitive payment card information to minimize the impact of these malicious activities.