Credit Card Scraping PHP Code (MC-000170-MW)
On May 16th, the Federal Bureau of Investigation (FBI) released a flash alert MC-000170-MW highlighting malicious activity by unidentified threat actors that unlawfully scraped credit card data by injecting infected PHP Hypertext Preprocessor (PHP) code into the online checkout page for a US business. This scraped data was further sent to a spoofed server controlled by the threat actors. The unidentified threat actors also established backdoor access to the victim’s computer by modifying two files on the checkout page. According to the FBI, this activity began back in September 2020 and was observed as late as January 2022.
Technical details
- Actors leveraged 3 IP addresses – 80.249.207.19/ 80.82.64.211/ 80.249.206.197
- Malicious PHP code injected into the checkout.php page by altering the TempOrders.php file
- Threat actors extracted and exfiltrated credit card data from TempOrders.php to a victim-specific PHP file “file_name.php”
- The payment information was then sent to a spoofed card processing domain http://authorizen[.]net/, a domain intended to spoof a real credit card processing company authorize[.]net
- A rudimentary backdoor was also installed allowing the threat actors to download 2 PHP WebShells, P.A.S. and b374 which could be leveraged for further exploitation
What You Should Do Now
The SafeBreach Hacker’s Playbook has been updated with the following attacks to include the various IOCs identified in this flash alert:
- #7037 – Write Fobushell malware to disk (Host-Level)
- #7038 – Transfer of Fobushell malware over HTTP/S (Lateral Movement)
- #7039 – Transfer of Fobushell malware over HTTP/S (Infiltration)
- #7040 – Email Fobushell malware as a ZIP attachment (Lateral Movement)
- #7041 – Email Fobushell malware as a ZIP attachment (Infiltration)
Please note that as the attackers were using a known Webshell b374, our Hacker’s Playbook already includes the following attacks that will allow you to validate your security controls against this backdoor.
- #1380 – Transfer of the b374k Web Shell over HTTP
- #1867 – Email the b374k WebShell as part of a ZIP attachment
- #2069 – Email the b374k WebShell as part of a ZIP attachment
- #6900 – Transfer of the b374k Web Shell over HTTP/S (WAF)
Additional recommended mitigations from the FBI:
- Update and patch all systems, including operating systems, software, and any third-party code running as part of your website.
- Change default login credentials on all systems.
- Monitor requests performed against your e-commerce environment to identify possible malicious activity.
- Segregate and segment network systems to limit how easily cybercriminals can move from one to another.
- Secure all websites transferring sensitive information by using the secure socket layer (SSL) protocol.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers.
- Actively scan and monitor weblogs and web applications for unauthorized access, modification, and anomalous activities.
- Strengthen credential requirements and implement multifactor authentication to protect individual accounts.
- Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
US-CERT Alert (AA22-138A) – F5 BIG-IP CVE-2022-1388
On the 18th of May, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory AA22-138A in response to the active exploitation of the vulnerability CVE-2022-1388. This vulnerability, found in certain versions of F5 Networks, Inc., BIG-IP allows an unauthenticated threat actor to gain control of the affected system via the management port or self-IP addresses. As the proof of concept of this exploit has been publicly released, unsophisticated threat actors can easily leverage it to their own benefit.
According to the information available, there is ongoing active exploitation of this vulnerability that can lead to widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private-sector networks.
Technical Details –
- CVE-2022-1388 is a critical iControl REST authentication bypass vulnerability affecting the following versions of F5 BIG-IP:[1]
- 16.1.x versions prior to 16.1.2.2
- 15.1.x versions prior to 15.1.5.1
- 14.1.x versions prior to 14.1.4.6
- 13.1.x versions prior to 13.1.5
- All 12.1.x and 11.6.x versions
- An unauthenticated actor with network access to the BIG-IP system through the management port or self IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services.
- POC exploits for this vulnerability have been publicly available and CISA/MS-ISAC expects to see widespread exploitation of unpatched F5 BIG-IP devices in government and private networks.
What You Should Do Now
The SafeBreach Hacker’s Playbook has been updated with the following attack to allow organizations to validate their security controls against the identified vulnerability.
- #6993- Remote exploitation of F5 BIG-IP vulnerability CVE-2022-1388 RCE
Additional recommended mitigations from CISA/MS-ISAC:
- Upgrade F5 BIG-IP software to fixed versions; organizations using versions 12.1.x and 11.6.x should upgrade to supported versions.
- If unable to immediately patch, implement F5’s temporary workarounds:
- Block iControl REST access through the self IP address.
- Block iControl REST access through the management interface.
- Modify the BIG-IP httpd configuration.
- See F5 Security Advisory K23605346 for more information on implementing the above workarounds.
- Properly configure and secure internet-facing network devices.