TLP: GREEN 6 MAY 2020 Alert Number MU-000127-MW WE NEED YOUR HELP! If you find any of these indicators on your networks, or have related information, please contact FBI CYWATCH immediately. Email: cywatch@fbi.gov Phone: 1-855-292-3937 *Note: By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks. The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS-CISA. This FLASH has been released TLP: GREEN: The information in this product is useful for the awareness of all participating organizations within their sector or community, but not via publicly accessible channels. Indicators of Compromise Associated with ESkimming Threat (Magecart) Summary The e-skimming threat is broadly tracked publicly by cyber security professionals under the term "Magecart." E-skimming occurs when malicious JavaScript code (the “e-skimmer”) is injected into an ecommerce website to steal payment card and personally identifiable information (PII) from customers. According to cyber threat intelligence companies, at least one "Magecart Group" is known to place the e-skimming script directly on e-commerce websites and use HTTP GET requests to exfiltrate the stolen payment data via proxies (compromised websites). Victims normally encounter the e-skimmer as a small snippet of script appended to their e-commerce website’s source code. The FBI has identified new IOCs which may assist in network defense. TLP: GREEN TLP: GREEN Technical Details Unidentified cyber criminals victimized a US Company’s e-commerce website by exploiting the CVE-20177391 vulnerability in Magento Mass Import (MAGMI) software version 0.7.22, successfully retrieving environment credentials. The cyber criminals then downloaded web shells, such as 895.php and rma.php, which provided persistency and the capability to upload additional malicious files. The cyber criminals imported several malicious Hypertext Preprocessor (PHP) files and placed JavaScript code on the checkout pages of the e-commerce website. PHP files, such as Time.php and noerr.php, allowed the cyber criminals to scrape payment card data and PII from the victim’s e-commerce website, such as a customer’s name, email address, physical address, telephone number, and credit card information. The stolen data was then piped (delimited with a vertical bar character “ ”), encoded in Base64, and saved in a Joint Photographic Experts Group (JPG) dump file created by the cyber criminals. The cyber criminals then leveraged the web shell to exfiltrate the dump file using HTTP GET requests. Towards the latter part of the intrusion, the cyber criminals embedded a JavaScript e-skimmer in the ecommerce website that incorporated the use of several automated functions to collect input data, including payment card data and PII. Upon successful input data collection, the JavaScript automatically sent the stolen data to hxxp://89.32.251.136/validation/. Figure 1: Snippet of Decoded E-Skimmer. TLP: GREEN TLP: GREEN Indicators of Compromise The following Internet Protocol (IP) addresses and Uniform Resource Locators (URLs) were used during vulnerability exploitation and/or data exfiltration: IP Addresses 5.45.86.144 73.155.117.46 217.23.10.117 Uniform Resource Locators (URLs) http://89.32.251.136/validation/ http://89.32.251.136/counter/index.php?v= The following malware tools were used during the captioned intrusion: Filename: MD5: SHA256: SHA1: File Size: File type: Note: N/A e6f2e00bdddcf6e4bccfd1c337ac78c1 760784bb8d311f73a3ba5ff5972086fa9f1ffe8adad5aa98f6c4c406b55d9d6f 16ba03c3b343313aafb55213a9e843a0b439543e 3,564 Hexadecimal Representations Original Embedded e-Skimmer Code Filename MD5: SHA256: SHA1: File Size: File type: Note: 895.php e9a644e74262414518bbe27235a9d605 5D316A3945650ED134F8FCBDD6A011744C10385875697547EEBCD430A249F661 13376d2df1887942131e99386c59e06d997c8287 1,790 PHP script, ASCII text PHP file used to upload arbitrary files to a compromised server. The uploaded files would be stored in the same path where 895.php resides. Filename: MD5: SHA256: SHA1: File Size: File type: Note: rma.php ca6ab39d47fac64251f93ab535e2aa76 06305ACBF12150DCC8DAE68E1F7A326558661F1EDC9F49149D38C7450DC37654 4460f68df3020decf39c44ede895cb5043897792 229,306 PHP script, ASCII text A well-known web shell called WSO version 4.2.5. WSO is a full-featured PHP web shell used by attackers to maintain persistent access to a compromised web server. TLP: GREEN TLP: GREEN Filename: MD5: SHA256: SHA1: File Size: File type: Note: noerr.php 36994c3e2e152ad864ceba5e23125215 8B30223133EFAA61DDABF629E3FD1753B51DDB1E5E3459F82A72BA31F78BD490 35cb4e29450d9da5c97507b00fdca78caa73b2ef 1,395 PHP script, ASCII text, with very long lines, with no line terminators PHP script to save credit card information (encoded in Base64) to a repository file. This tool is used in tandem with malicious JavaScript appended to the legitimate Magento credit card validation code, which sends the stolen payment information to noerr.php via an HTTP POST request. Filename: MD5: SHA256: SHA1: File Size: File type: Note: script.js e42d15afce47af9fb13cc430f30b5bad 1B058DF16E6034AD1B71B3A4C6B6D4FF4C9BA72D1BAAB6C37261434854B31A90 775381df0c39e88b3a3a831d1032c9023f5fb25b 8,664 HTML document, ASCII text, with very long lines, with CRLF line terminators JavaScript injected into the checkout page of the e-commerce website. When the page is completely loaded in a customer's browser, the script parses the form for credit card details, which is then encoded to JSON and Base64 and exfiltrated via an HTTP GET tunnel. Filename: MD5: SHA256: SHA1: File Size: File type: Note: Time.php 51b04efed001fc7e5050c8949bc0114a 31AC68194FA993214E18AA2483B7187AAD0CB482667EC14A7E9A0A37F8ED7534 b5bc056d1ba1f5156bc25cecf2ebaa79ec081931 1,431 PHP script, ASCII text, with very long lines, with no line terminators PHP file scrapes credit card information from an e-commerce website and saves the data, encoded in Base64, in a JPG file. Recommended Mitigations The FBI recommends the following security measures to protect your systems against e-skimming.    Update and patch all systems, to include operating systems, software, and any third-party code running as part of your website. Keep anti-virus and anti-malware up to date and firewalls strong. Disable extensions and functions within your e-commerce website that are not being used. TLP: GREEN TLP: GREEN               Change default login credentials on all systems. Monitor requests performed against your e-commerce environment to identify possible malicious activity. Segregate and segment network systems to limit how easily cyber criminals can move from one to another. Assign unique, complex local administrator passwords to all workstations and other network endpoints to limit potential exposure using the same compromised password. Assign permission codes to website directories and files to help prevent unauthorized access to files containing website scripts. Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol. Install third-party software/hardware from trusted sources. Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process. Patch all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers. Actively scan and monitor web logs and web applications for unauthorized access, modification, and anomalous activities. Regularly conduct network penetration tests, code integrity checks, and dynamic application security tests on websites to identify vulnerabilities or misconfigurations. Strengthen credential requirements and implement multifactor authentication to protect individual accounts. Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion. Educate employees about safe cyber practices. Most importantly, do not click on links or unexpected attachments in messages. Maintain an updated Incident Response Plan addressing cyber threat response. TLP: GREEN TLP: GREEN Reporting Notice The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a non-deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation. Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s National Press Office at npo@fbi.gov or (202) 324-3691. Administrative Note This product is marked TLP: GREEN: Subject to standard copyright rules, TLP: GREEN information may be distributed to affiliated organizations or members of the same sector, but never through public channels. For comments or questions related to the content or dissemination of this product, contact CyWatch. Your Feedback on the Value of this Product Is Critical Was this product of value to your organization? Was the content clear and concise? Your comments are very important to us and can be submitted anonymously. Please take a moment to complete the survey at the link below. Feedback should be specific to your experience with our written products to enable the FBI to make quick and continuous improvements to such products. Feedback may be submitted online here: https://www.ic3.gov/PIFSurvey Please note that this survey is for feedback on content and value only. Reporting of technical information regarding FLASH reports must be submitted through FBI CYWATCH. TLP: GREEN