Cyber Pulse: Edition 145 | 19 February 2021

Here is our cyber security news round-up of the week:

Hackers abuse Google Apps Script to steal credit cards, bypass CSP

Attackers are abusing Google's Apps Script business application development platform to steal credit card information submitted by customers of e-commerce websites while shopping online. The script.google.com domain is used to successfully hide their malicious activity from malware scan engines and bypass the Content Security Policy (CSP) controls. They take advantage of the fact that online stores would consider Google's Apps Script domain as trusted and potentially whitelisting all Google subdomains in their sites' CSP configuration (a security standard for blocking untrusted code execution in web apps).

Once deployed, the scripts allow them to harvest the payment and personal info submitted by the hacked shops' customers and collect it on servers under their control. This new payment-info theft tactic was discovered by security researcher Eric Brandel while analysing Early Breach Detection data provided by Sansec, a cybersecurity company focused on fighting digital skimming.

"The malware domain analit[.]tech was registered on the same day as previously discovered malware domains hotjar[.]host and pixelm[.]tech, who are also hosted on the same network," Sansec said.

As he discovered, the malicious and obfuscated skimmer script injected by the attackers in e-commerce sites intercepted payment info submitted by users.

All the payment info stolen from the compromised online shop was sent as base64 encoded JSON data to a Google Apps Script custom app, using script[.]google[.]com as an exfiltration endpoint.

Tracker pixels in emails are now ‘endemic’ privacy concern

This week, the Hey messaging service analysed its traffic following a request from the BBC and discovered that roughly two-thirds of emails sent to its users' private email accounts contained what is known as a "spy pixel." Spy pixels, also known as tracking pixels or web beacons, are invisible, tiny image files – including .PNGs and .GIFs – that are inserted in the content body of an email. They may appear as clear, white or another colour to merge with the content and remain unseen by a recipient and are often as small as 1x1 pixels.

The recipient of an email does not need to directly engage with the pixel in any way for it to track certain activities. Instead, when an email is opened, the tracking pixel is automatically downloaded – and this lets a server, owned by a marketer, know that the email has been read. Servers may also record the number of times an email is opened, the IP address linked to a user's location, and device usage. 

Similar pixels are also widely used on web domains to track visitors. Tracking pixels have been around for some time but are not well known. For marketers, pixels can be an invaluable method to measure engagement levels, estimate the success of marketing campaigns, and potentially to send follow-ups and more personalised notes when a message has been read, but not responded to. 

In Europe, GDPR demands that organisations tell recipients of the use of such pixels. However, the water has been muddied surrounding the transparency necessary to implement pixel tracking, as consent is not always required – and when it is, this could be 'obtained' automatically when a user signs up to an email service and is asked to read a privacy notice published on a website. The UK's own Information Commissioner's Office (ICO), which acts as a data protection watchdog, uses pixels to track email openings in its newsletter, as noted by the publication. Users are clearly told of the trackers at sign-up; however, the ICO intends to remove this functionality soon.

It is possible to prevent tracking pixels from triggering by disallowing automatic image uploads in your web browser, or by downloading email and browser add-ons to block trackers.

DDoS attack takes down EXMO cryptocurrency exchange servers

The servers of British cryptocurrency exchange EXMO were taken offline temporarily after being targeted in a distributed denial-of-service (DDoS) attack.

"We are currently experiencing a DDoS attack on our platform," the exchange said in a notification published earlier today. "Please note that the EXMO exchange website is now under the DDoS attack. The servers are temporarily unavailable."

In a separate alert issued through the company's official Twitter account, EXMO said that it's working on addressing the issue. While no update was published since the DDoS attack was announced, the platform's servers and website are now back online. EXMO was temporarily registered with the UK Financial Conduct Authority (FCA) as a crypto asset business until 9 July 2021, following a request submitted back in April 2020. The British cryptocurrency exchange – self-described as "one of the largest cryptocurrency exchanges in Europe" – disclosed in December 2020 that unknown attackers were able to withdraw roughly 5% of its total assets after compromising EXMO's hot wallets.

"Our team is currently developing a new infrastructure for hot wallets. Since each blockchain needs a separate server, the process will take some time," EXMO added in a subsequent update.

Unlike cold wallets (aka offline or hardware wallets) that have no internet connection, hot wallets are internet-connected and are used by exchanges to temporarily store assets for ongoing transfers and transactions. EXMO suspended all withdrawals following the incident and added that all user losses following this incident will be covered and refunded completely by EXMO.

US cities hit by ransomware attack

A ransomware attack against the widely used payment processor ATFS has sparked data breach notifications from numerous cities and agencies within California and Washington. Automatic Funds Transfer Services (AFTS) is used by many cities and agencies in Washington and other US states as a payment processor and address verification service. As the data is used for billing and verifying customers and residents is wide and varied, this attack could have a massive and widespread impact.

The attack occurred around 3 February when a cybercrime gang known as Cuba Ransomware stole unencrypted files and deployed the ransomware with data breach notifications in California and Washington.

The cyberattack has since caused significant disruption to AFTS' business operations, making their website unavailable and impacting payment processing. When visiting their site, people are greeted with a message, stating, "The website for AFTS and all related payment processing websites are unavailable due to technical issues."

Due to the large amount of potential data allegedly stolen by the Cuba Ransomware operation, cities utilising AFTS as their payment processor or address verification service have begun disclosing potential data breaches. The potential data exposed varies depending on the city or agency, but may include names, addresses, phone numbers, license plate numbers, VIN numbers, credit card information, scanned paper checks and billing details. 

Microsoft web shells attacks spreading like wildfire

From a tool for script kiddies to the arsenal of ransomware gangs and nation-state hackers, web shells have become crucial tools used by hackers in complex intrusions. Due to the versatility and access provided by web shells, the volume of such attacks has almost doubled since last year, according to a recent report from Microsoft Detection and Response Team. Microsoft has reported that between August 2020 and January 2021, it has observed around 140,000 web shells a month, up from roughly 77,000 last August.

Microsoft's stats have shown the crucial role of web shells as an entry point and persistence mechanism for attacks on public-facing systems in corporate IT networks. Their flexible use with almost every programming language that runs on a web server, such as ASP, JSP, JS or PHP, renders detection difficult.

Through web shell attacks, hackers can execute commands via a graphical or command-line interface on a hacked server, control the hacked server, steal data and login credentials, use the devices to launch two-stage attacks, and move laterally throughout the network.

Recently, PHP malware was discovered containing multiple backdoors and web shells for whitespace obfuscation. It is paramount that victims re-prioritise their approach to eliminate the escalating prevalence of web shells. The basic actions include patches of public-facing systems, antivirus protections to web servers, network segmentation, and good credential hygiene.

Three new vulnerabilities patched in OpenSSL

The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service (DoS) attacks and one related to incorrect SSLv2 rollback protection. The most serious of the vulnerabilities, with a severity rating of moderate, is CVE-2021-23841, a NULL pointer dereference issue that can result in a crash and a DoS condition. The security hole is related to a function (X509_issuer_and_serial_hash) that is never called directly by OpenSSL itself, which means it only impacts applications that use the function directly with certificates obtained from untrusted sources. The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted.

Version 1.1.1j also fixes a low-severity integer overflow issue that can also lead to a crash. The bug, tracked as CVE-2021-23840, was identified by Paul Kehrer.

Another low-severity issue, CVE-2021-23839, was reported to the OpenSSL Project by researchers at cybersecurity firm Trustwave, who discovered that servers using OpenSSL 1.0.2 are vulnerable to SSL version rollback attacks. However, an attack can only be launched against certain configurations and OpenSSL 1.1.1 is not impacted.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses