Posted on May 18, 2022 at 7:19 PM
The Federal Bureau of Investigations (FBI) has issued a warning that some hackers are creating a backdoor into victims’ systems and accessing their credit card data. The agency stated that the attackers are scrapping credit card data on the checkout pages of some websites of US businesses.
The unidentified threat actors injected malicious Hypertext Preprocessor (PHP) code into the online checkout page of the targeted business website. After copying the data, they send it to the control server of the threat actors, according to the FBI.
The Attackers Are Gaining Backdoors
According to the reports, the threat actors started targeting US businesses in September 2020 by planting malicious PHP code into the online checkout pages. However, the threat actors changed their attacking methods earlier this year and started using a different PHP function
The attackers began targeting US businesses in September 2020 by inserting malicious PHP code into the customized online checkout pages. But earlier this year, the actors changed tactics using a different PHP function.
The attackers created a basic backdoor with a debugging function that enabled them to download two webshells to the server of the US company’s website. This provided backdoor access to the hackers to exploit further.
Based on the technical details provided by the agency, the threat actors started by targeting three internet protocol (IP) addresses: 184.108.40.206, 220.127.116.11, and 18.104.22.168
The hackers altered the associated TempOrders.php file to insert malicious PHP code in the online checkout webpage of the targeted business. They modified the checkout page using the include()statement: include (“includes/cart_required_files.php”).
The threat actors exploited this feature to enable them to plant the contents of TempOrders.php into the checkout cart_required_files.php file.
The Backdoors Could Grant The Hackers Strong Access
Sucuri noted that the webshell backdoors could provide full access to the attackers, especially to the website file system. This usually provides a complete picture of the attack environment, which includes the PHP versions and other server operating systems.
It can also grant them access to a strong functionality to change file permissions and transfer them into directories or adjacent websites.
Sucuri also reported that among the 400 malware signatures it gathered in 2021, about 19% of them are Webshells. The security company says there was a massive increase in signatures for PHP=based credit card skimmers last year, especially those that impacted major e-commerce platforms like OpenCart, Magento, and WordPress.
The threat actors also set up backdoor access to the targeted system by updating two files within the checkout page. The FBI is sharing new indicators of compromise (IOCs) that may help businesses to defend their systems.
Recommended Mitigation By The FBI
The FBI has also recommended a mitigation method for the attack. The agency recommended businesses change the default login credentials on all their systems. They should also consider securing websites by using the secure socket layer (SSL) protocol. Additionally, they should carry out segmentation and segregation of the network systems to reduce how easily threat actors can move from one to another.
The FBI also advised the businesses to monitor requests performed against their e-commerce environment to identify possible malicious activities.
The agency has also advised businesses to install third-party software from trusted sources and partner with the manufacturer to make sure their security system prevents unauthorized access to data they process and store. Also, they are required to patch all systems for critical bugs, making the patching of internet-connected servers a priority.
These servers are known for several critical vulnerabilities and threat actors can use them as a backdoor to infiltrate systems. Businesses should also implement basic security protocols such as the use of multi-factor authentication protocols to protect individual accounts. They should monitor web applications and weblogs to block unauthorized access as well as anomalous activities on the systems.