Old breaches pave the way for new data breaches.
Researchers from Unit 42 have rediscovered the activity of a cyber group associated with the Silent Skimmer campaign, which at the end of 2023. In May 2024, attackers compromised several web servers to gain access to the infrastructure of a large company from North America. Experts attribute these attacks to Silent Skimmer due to overlaps in the tools and tactics used.
The Silent Skimmer operation was first spotted in September 2023, when hackers were collecting data from online payments. Since then, there has been practically no news about them. According to Unit 42, cybercriminals are now targeting companies that develop and maintain payment systems and gateways.
To hack servers, attackers used vulnerabilities in the popular Telerik UI platform. In particular, two vulnerabilities, CVE-2017-11317 and CVE-2019-18935, were exploited to allow remote code execution and file downloads. Both vulnerabilities are included in the CISA Catalog of Known Exploitable Vulnerabilities.
After gaining access, the hackers deployed web shells and set up a persistent connection through tunneling and reverse proxies such as Fuso and FRP. Later, the GodPotato tool was used to escalate privileges using PowerShell scripts.
The attackers actively used mixed .NET and C++ assemblies to make it difficult to parse their code. This made it possible to hide malicious functionality and bypass security systems. In addition, Python scripts packaged with PyInstaller were used to exfiltrate the data, which made it possible to disguise them as legitimate executables.
The main method of attack is the installation of reverse shells and the use of legitimate Windows utilities to execute malicious commands. For example, hackers used «mshta.exe" to download and execute malicious HTA files, which then ran PowerShell scripts.
The similarities in tactics and tools used confirm the connection between this activity and the campaign previously described by BlackBerry against payment processors. However, now attackers are using new methods of data collection: instead of injecting code into pages, they use Python scripts to connect to databases and upload data to CSV.
Palo Alto Networks specialists recommend promptly updating vulnerable versions of programs and using advanced security tools such as Cortex XDR and XSIAM, as well as cloud services, including Advanced URL Filtering and Advanced DNS Security.
Source
Researchers from Unit 42 have rediscovered the activity of a cyber group associated with the Silent Skimmer campaign, which at the end of 2023. In May 2024, attackers compromised several web servers to gain access to the infrastructure of a large company from North America. Experts attribute these attacks to Silent Skimmer due to overlaps in the tools and tactics used.
The Silent Skimmer operation was first spotted in September 2023, when hackers were collecting data from online payments. Since then, there has been practically no news about them. According to Unit 42, cybercriminals are now targeting companies that develop and maintain payment systems and gateways.
To hack servers, attackers used vulnerabilities in the popular Telerik UI platform. In particular, two vulnerabilities, CVE-2017-11317 and CVE-2019-18935, were exploited to allow remote code execution and file downloads. Both vulnerabilities are included in the CISA Catalog of Known Exploitable Vulnerabilities.
After gaining access, the hackers deployed web shells and set up a persistent connection through tunneling and reverse proxies such as Fuso and FRP. Later, the GodPotato tool was used to escalate privileges using PowerShell scripts.
The attackers actively used mixed .NET and C++ assemblies to make it difficult to parse their code. This made it possible to hide malicious functionality and bypass security systems. In addition, Python scripts packaged with PyInstaller were used to exfiltrate the data, which made it possible to disguise them as legitimate executables.
The main method of attack is the installation of reverse shells and the use of legitimate Windows utilities to execute malicious commands. For example, hackers used «mshta.exe" to download and execute malicious HTA files, which then ran PowerShell scripts.
The similarities in tactics and tools used confirm the connection between this activity and the campaign previously described by BlackBerry against payment processors. However, now attackers are using new methods of data collection: instead of injecting code into pages, they use Python scripts to connect to databases and upload data to CSV.
Palo Alto Networks specialists recommend promptly updating vulnerable versions of programs and using advanced security tools such as Cortex XDR and XSIAM, as well as cloud services, including Advanced URL Filtering and Advanced DNS Security.
Source
