A truism is that where there is money, there is crime — it applies in every corner of society, from street markets to financial markets, and everything in between. In the realm of cyber security, however, it is often truer than many would believe. State-sponsored and sanctioned cyber threat actors have routinely targeted large financial industries, often leveraging the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. Other large actors have targeted stock exchanges or even the emerging cryptocurrency markets, while still many more smaller actors have targeted retail finance, and even ATMs, and a growing segment of these attacks have also turned to target eCommerce platforms and online retailers.
It should then come as no surprise that especially with the COVID-19 pandemic, as more people than ever have turned to eCommerce platforms to supply themselves or eke out a living, that threat actors would seek to target these platforms. However, over the last two weeks, an unknown group has, according to a report released by Sansec, carried out the largest ever Magecart-style attack against retailers running the eCommerce platform Magento (version 1), affecting at least 2,806 stores.
The targeting of the v1 platform is significant because as of June 2020 the platform has been designated End of Life (EOL). This designation is important, as it means these stores will no longer receive updates — especially security updates — from Adobe, which acquired the platform in 2018, and some estimates have suggested there may be “tens of thousands” of v1 stores operating globally. This means that vulnerabilities found by researchers and threat actors will remain unpatched.
The Initial Attack
Sansec reported that the initial attack appears to have begun on or around 11 September 2020, with the attacker targeting only a handful of online retailers. Sansec provided a handful of indicators related the compromise, which allowed us to begin our search. We mapped out the indicators in King & Union’s intelligence and link analysis platform Avalon with enrichment provided by Cyborg Security’s SIGNS threat data feed.
Figure 1 — Initial Indicators of Compromise
Figure 2 — Obfuscated jet.js from mcdnn[.]me
Figure 3 — Recovered file dating back to 02 August 2020
We were also able to identify dozens of modified prototype.js files — a legitimate component of the Magento eCommerce platform — all of which had been modified and which pointed to the “widget.js” web Skimmer hosted on the attacker-controlled mcdnn[.]net domain. Again, note the similarities to the recovered file above.
Figure 4 — Sample code snippet from modified prototype.js files
We then began the initial enrichment process, in order to identify the attack’s infrastructure. We noted that the attacker’s infrastructure was, largely, hosted on IPs in close proximity to one another, from the same provider, located in Moscow, Russia. We also noted that the actors have a tendency to reuse domains between campaigns, which can be considered odd given the highly temporal nature of Magecart-style attacks.
This basic enrichment allowed us to then collate and correlate the attacker’s infrastructure with Cyborg Security’s SIGNS threat feed, which identified significant overlap between this current activity group, and activity that Cyborg Security has previously observed earlier in the year.
Based on the significant overlap in infrastructure and some of the observed TTPs it is highly probable that these attacks were carried out by the same actors responsible for the so-called Ant and Cockroach web skimmer.
We were also able to identify several domains which had been registered in the same period, but which appeared to be inactive. It is likely that the attackers will use this additional infrastructure in future campaigns, or as a fall back in the event their current infrastructure is blocked.
Figure 5 — Enrichment from Cyborg Security’s SIGNS threat feed
From the Cyborg Security SIGNS threat feed, we were also able to quickly identify previous targeting and tactics, techniques, and procedures which led to some interesting overlaps.
- Previous activity identified that the actors, who appear to be primarily financially motivated, have largely targeted the Magento platform in the past, with some specific targeting of the “v1” version, specifically.
- Previous eCommerce attacks by the actors appear to target two languages exclusively for the checkout pages: English and Portuguese.
- Some of their infrastructure has previously been tied to the Brazilian-focused Lampion banking trojan, further reinforcing an interest in the LATAM market.
- Infrastructure re-use (IPs and Domains) across campaigns.
- The actors frequently employ homoglyph-style attacks, mimicking various protocols or legitimate web services for their domains.
The “Cardbleed” Exploit Connection
Another element mentioned in the Sansec story was the possible connection to a post by an actor referred to as “z3r0day” in a popular Russian deep web forum.
We retrieved the post, which was authored on 15 August 2020, and it is presented below in its original Russian, and translated to English.
Figure 6 — Original post by ‘z3r0day’ dated 15 August 2020
Figure 7 — Translation of ‘z3r0day’ post, courtesy Google Translate
In the post, the actor describes an alleged 0-day vulnerability affecting all Magento v1 stores.
The seller also says they will include additional 1-day vulnerabilities that can use used to target Magento v1, as well as documentation and even a training video to guide would-be purchasers through the exploitation process. As Sansec noted, the provider is also committing to only sell 10 copies of the exploit, likely in an effort to ensure that exploitation of the vulnerability remains somewhat covert. As of 21 September 2020, 7 copies of the exploit have been sold.
Figure 8 — An update given from the seller ‘z3r0day’
We were able to gather additional details on the seller by leveraging our threat actor profiles, which allowed us to map out the actor’s previous activity, as well as known contact information.
An interesting point is that the seller had authored a second post on the same day that he offered the 0-day vulnerability, looking for partnership opportunities with individuals who actively target “popular” CMS platforms (with the actor listing OpenCart and Magento specifically, but indicating other platforms would be acceptable as well).
Figure 9 — A previous post from actor ‘z3r0day’ on the same date as his post regarding a Magento 0-day
Figure 10 — Previous Activity by actor ‘z3r0day’
One point to note regarding ‘z3r0day’ is that while he stipulates that he will not work with those targeting CIS countries (a relatively common practice for those operating on the Russian underground, otherwise referred to as the RuNet), he has also previously expressed that he will also not work with those targeting India, a practice that is much less common. It is unclear at this time why he has this limitation.
The actor also appears to be affiliated with the well-known ‘Allsafe’ VPS service which provides threat actors with a hosting provider which not only permits malicious activity but will also provide pre-configured servers for various malicious activity.
Currently, there exist a few intelligence gaps regarding the reporting surrounding the recent wave of Magecart-style attacks which have appeared to have targeted the Magento version 1 platform.
- While the targeting of the end-of-life Magento platform appears intentional, is this because the attacker has access to a specific and novel capability (i.e. the ‘Cardbleed’ 0-day attack), or were these platforms previously compromised by the attackers (or perhaps purchased from actors who cultivate network access)?
- Presently, there are no direct operational linkages which connect the actors conducting the attacks with the seller ‘z3r0day’ and the alleged ‘Cardbleed’ exploit.
- The actors responsible for the attacks appear to have been carrying out similar attacks prior to 15 August 2020, when the ‘Cardbleed’ exploit was offered for sale.
- The attacker has previously been shown to reuse specific TTPs and infrastructure, however it is reasonable that an attacker gaining a significant advantage would want to avoid detection as long as possible.
- The attacker may have felt compelled to act quickly and operate using infrastructure that they deemed reliable.
While it remains unclear how the actors have gained access to the targeted Magento v1 platforms, that the scope of the attack is unprecedented is without doubt. However, such radical escalation on the part of the attackers is unsurprising given the continued growth in online retailing, especially with the continued reliance on it by many as a result of the COVID-19 pandemic.
However, perhaps more important is the fact that with Magento version 1 being rendered obsolete, any vulnerabilities discovered in the platform will remain unpatched. This is further complicated by the extremely large base of legacy users who remain on the EOL version for various reasons.
As a result, it is highly likely that some exploit developers and attackers will focus their efforts on the EOL version specifically. This will result in companies which choose to operate on the legacy version exposing themselves to increased targeting by financially motivated threat actors, and potentially exposing their clients to increased risk of fraud.
Clients of King & Union will find all of our research available in the Avalon platform in the Cyborg Security group!