Online payment companies across North America, Latin America, and the Asia Pacific have been under siege for over a year. A malicious campaign, known as Silent Skimmer, has been targeting these companies with the specific aim of stealing sensitive payment data from checkout pages. This in-depth article presents insights into the technical specifics of this ongoing campaign and offers actionable recommendations to secure web applications effectively.

Summary of Silent Skimmer Campaign

The Silent Skimmer campaign has been under close observation by the BlackBerry Research and Intelligence Team. They have identified it as an operation with roots likely in a Chinese-speaking community. The primary victims of this targeted campaign have been online businesses and Point-of-Sale (PoS) service providers. This long-standing operation aims to exploit vulnerabilities in web applications to steal sensitive payment data from checkout pages.

Technical Specifics of the Attack

Exploitation Techniques

The threat actors behind the Silent Skimmer campaign are highly proficient in exploiting web application vulnerabilities. Specifically, they have targeted applications hosted on Internet Information Services (IIS). The attackers use various techniques, such as living-off-the-land tactics and open-source tools, to escalate privileges and execute post-exploitation activities. This enables them to gain code execution on the targeted server.

Tools and Malware

The attackers deploy a PowerShell-based remote access trojan, known as server.ps1, that grants them remote control over the compromised host. This host then connects to a remote server, which further houses utilities like download scripts, reverse proxies, and Cobalt Strike beacons. The ultimate objective here is to deploy a scraper on the payment checkout page, which captures financial data without the knowledge of the users.

Evasion Techniques

A meticulous examination of the infrastructure employed by the attackers shows a pattern of using Virtual Private Servers (VPS) for command-and-control (C2) based on the geolocation of the victims. This adaptive strategy aids them in evading detection, as the internet traffic around the compromised servers appears normal to casual observers.

Recommendations for Safeguarding Web Applications

Update and Patch

It is essential to keep your web application software, frameworks, and components updated with the latest security patches. Outdated systems are more susceptible to exploitation.

Security Assessments

Conduct regular security assessments that include penetration testing and vulnerability scanning. This proactive approach helps in identifying and rectifying vulnerabilities before they can be exploited.

Web Application Firewall (WAF)

Deploy a WAF to filter and block malicious traffic, thereby preventing attacks like SQL injection and cross-site scripting (XSS).

Input Validation

Implement rigorous input validation to ensure that malicious input cannot be processed by your application.

User Privileges

Limit user privileges to only what is required for their tasks. This minimizes the potential impact of a breach.

Secure Session Management

Utilize strong session tokens, set timeouts, and handle cookies securely to protect session data.

Error Handling

Ensure proper error handling to prevent the accidental disclosure of sensitive information through error messages.

PowerShell Script Restrictions

Use application whitelisting to allow only authorized PowerShell scripts. Enable PowerShell’s Constrained Language Mode to limit script functionality and sign all PowerShell scripts with digital signatures.

Behavioral Analysis Tools

Implement tools that carry out behavioral analysis to detect abnormal or malicious activities related to Living-off-the-Land Binaries (LOLBins).

Final Thoughts

The Silent Skimmer campaign illustrates the growing technical complexity of cyber attacks on online payment systems. The sophistication of this campaign suggests that it is likely operated by advanced or experienced actors. A notable aspect is the adaptability shown in modifying the network infrastructure according to the victim’s geolocation. Given the evolving nature of this threat, it is imperative for businesses to remain vigilant and take proactive measures to safeguard their systems and data.

Also Read: