The Good, the Bad and the Ugly in Cybersecurity – Week 6

The Good

This week’s good news sees the end of the road for four notorious darknet trading markets from the unlikely but welcome work of Russian law enforcement agencies. Darknet markets Ferum Shop, Sky-Fraud, Trump’s Dumps and UAS (Ultimate Anonymity Services) specialized in credit card fraud and credential theft.

According to a report, the take downs were the handiwork of Russia’s Ministry of Internal Affairs’ Department “K”. Aside from shuttering the sites, Russian authorities also announced the arrest of six individuals on charges of “illegal circulation of means of payment”. Russia’s Article 187 of the Criminal Code act states that offences relating to illegal card trading are punishable by imprisonment of up to seven years.

These carding sites, some of which have been in business since 2013, are estimated to have collectively made over $263 million. UAS specialized in trading credentials for RDP (Remote Desktop Protocol) accounts, a common entrypoint for ransomware attackers.

It’s been a tough year so far for darknet markets, with CanadaHQ kicked into touch last week, and potentially more seizures to come promised by Russian authorities, who left the message “Кто из вас следующий” embedded in the html of the seized sites.

    <title>CLOSED</title>
</head>

<body>
    <!-- Кто из вас следующий? 👮 -->
    <div class="logo_img">
        <img class="logo_svg" src="/k_mvd_svg" alt="#">
    </div>
    <div class=website>

The message translates as “Which of you is next?”.

The Bad

It may have been a bad week for carding markets, but the news hasn’t been great for those still operating Magento 1 e-commerce stores, either. Over 500 stores running the platform were breached with payment skimmer malware, according to a report released on Tuesday.

The hackers used known vulnerabilities to gain access to the stores. In one case, they abused a flaw in the Quickview plugin to run an SQL injection and PHP Object Injection attack to gain control of the target store.

Researchers say the attackers found a clever trick to execute the malicious code after adding it to the store’s database: browsing the Magento sign up page. Having compromised a store, the attackers left multiple backdoors on the system—as many as 19 separate backdoors—to ensure reentry if the attack were discovered.

According to researchers, the following files were either added or edited to contain malicious code:

/api.php
/api_1.php
/install.php
/sc_api.php
/phpinfo.php
/adminer.php
/app/code/core/Mage/Page/Block/Html.php
/errors/api.php
/media/api.php
/media/catalog/category/test.jpeg
/media/catalog/category/panch.jpg
/js/api.php
/js/cartcheckout.php
/skin/api.php
/skin/adminhtml/default/default/images/loader.php
/skin/adminhtml/default/default/controller.php
/skin/frontend/default/default/upldr.php
/skin/frontend/base/default/conf.php
/var/importexport/customer.csv

Once a store is compromised, shoppers are presented with a fake payment popup. Payments that are intended for the store are instead sent to the attacker at

hxxps://naturalfreshmall[.]com/payment/Payment.php

While the Magento 1 platform reached End-Of-Life over 18 months ago, thousands of merchants continue to use it and the latest breach comes after over 2000 Magento 1 stores were hacked back in September 2020. All e-commerce traders still using Magento 1 are urged to upgrade to Magento 2 without delay.

The Ugly

It’s well-known that there are APTs that attack organizations, governments and on occasion individuals in order to conduct espionage or even steal money, but APTs that conspire to plant false evidence and imprison civil rights activists is behavior that is only recently starting to come to light. This week, SentinelLabs’ researchers disclosed how activists in India had been targeted repeatedly over ten years by an APT with the aim of planting false evidence on their devices.

Researchers say that the ModifiedElephant APT engages in long-term surveillance to plant incriminating files on its targets, who are then conveniently arrested. The group operates primarily through phishing with malicious attachments and unsophisticated, off-the-shelf malware that targets Windows and Android devices.

This isn’t the first time the SentinelLabs researchers have identified an APT acting with the primary intent of planting false evidence on its targets. In September 2021, they also reported on a Turkish-nexus state actor they dubbed ‘EGoManiac’, finding that the actor was responsible for a cluster of two campaigns that targeted Turkish journalists.

One thing both cases seem to share in common is a connection to private sector offensive actors. EGoManiac appeared to have connections with the now defunct Hacking Team, while  some of ModifiedElephant’s targets were also infected with the now infamous NSO Group’s Pegasus mobile spyware.

While this kind of activity doesn’t appear to be new – some of the cases go back to 2010 – it’s an aspect of APT activity that has rarely been brought to light before, so all credit to the researchers for bringing it to public attention. To paraphrase our Russian law enforcement friends mentioned above, which of you APTs is next?