HQ/EMEAFind out how we can help your business
A new sophisticated web-skimming campaign, Silent Skimmer, has targeted Asia-Pacific (APAC) and North America, Latin America (NALA) region payment firms to steal sensitive financial data from unsuspecting users.
The malicious campaign’s modus operandi is to gain initial access to its targeted network, where it could exploit vulnerable internet-facing applications. Once they breach the public-facing website, they deploy several tools, escalate privileges, run code, and establish remote access to the targeted servers.
The new Silent Skimmer campaign has been exploiting a dotnet flaw since May.
Since May, the Silent Skimmer operators have exploited a .NET deserialisation vulnerability (CVE-2019-18935) in the Progress Telerik UI for ASP.NET AJAX. The flaw enabled them to execute malicious DLL code on their chosen servers remotely.
This compromised DLL starts a sequence of steps, resulting in the deployment of various malicious tools. These tools could execute multiple capabilities, such as communicating with the attacker-controlled HTTP File Server and operating downloader scripts, remote access scripts, webshells, exploits, and Cobalt Strike beacons. As the campaign reaches its sinister climax, sensitive user information, including billing and credit card details, is stealthily exfiltrated using Cloudflare.
The threat actors that operate the Silent Skimmer campaign remain unidentified. However, the campaign’s GitHub repository and the presence of Chinese code in a PowerShell Remote Access Trojan indicate that these Chinese hacking groups could have participated in these web-skimming operations. Furthermore, the threat actor’s C2 server is within the Asian territory; hence, there is strong evidence that the attackers could be one of these Asian countries.
This newly discovered Silent Skimmer campaign is the latest addition to the increasing number of new sophisticated operations in the cybercriminal landscape. In addition, its intricacies suggest there are experienced threat actors that put sophisticated capabilities into the malicious campaign.
Therefore, organisations should remain vigilant and proactive since this attack continues to expand its threat landscape. Staying knowledgeable about the campaign’s TTPs could increase anyone’s chances of avoiding compromise. Organisations should look for Indicators of Compromise (IOCs) about the attack to effectively mitigate or prevent its attempts.
