Hackers have used brute-force attacks to gain access to hundreds of e-commerce sites and install malware that scrapes credit card details and installs cryptocurrency mining software. Researchers at threat intelligence company Flashpoint revealed in a blog post that they were aware of the compromise of at least 1000 sites, mainly in the Education and Healthcare industries. Attacks were largely centered on the U.S. and Europe.
The attackers targeted the popular open-source Magento platform used to run the sites, infiltrating admin panels which were poorly set up using common/known default credentials. While the fault lies with careless admins who failed to set up secure credentials on their newly installed platforms, Flashpoint also noted that the attackers “have demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.”
Says Flashpoint’s analysts:
“Once the attacker has control of the site’s Magento content management system (CMS) admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.”
Flashpoint noted that the attackers updated their malicious files “daily” in order to avoid signature-based and behavior-based detection.
Successfully compromised sites returned an exploit when visited in the form of a fake Flash Player update. If the user is fooled by the update and elects to launch it, the exploit runs malicious JavaScript that downloads malware (such as the AZORult data-stealer malware) from servers on GitHub that are controlled by the attackers onto the user’s computer. A chain reaction is then started as that malware downloads more malware, in this instance the Rarog crypt-miner.
Protecting Yourself from Credential-Based Attacks
This is by no means the first case of this type of attack - back in 2016, the Mirai attacks also relied on admins not bothering to change default credentials for all their ‘connected things,’ resulting in the creation of a massively destructive botnet made up of unsecured connected devices such as routers and security cameras. The botnet took down numerous high-value targets such as Twitter, Spotify and GitHub.
In cases like these, attackers build simple automated scripts which they pre-load with all known credentials for the platform, in order to brute-force their way into the admin panels of target sites. It’s a scattershot approach, but the fact that it worked in 1000 known cases to date points to the fact that there may be more infected websites out there. (Flashpoint is currently working with law enforcement to inform the owners of infected sites).
Users can protect themselves and their sites/users from this kind of chain-reaction compromise by ensuring that they immediately update the default credentials after installing and setting up new CMS platforms. Here are some other tips we’d recommend to protect your Internet-connected devices against these types of brute-force attacks:
- Change default passwords (and even usernames, if possible) on routers, wireless access points, and other network devices. Make the password long (minimum of 12-14 characters) and use a combination of lowercase and uppercase alphabetical characters, numbers, and symbols.
- Keep firmware and patches up to date on devices, and be sure to get updates only from the manufacturer's site or service. Most devices have a built-in web page or app to perform the update, and an increasing number of home network devices update automatically.
- If the device has a built-in firewall, review configuration options to block unnecessary ports and services. Additionally, if there are options to configure services such as Universal Plug and Play (UPnP), disable them if they are not necessary.
- Don't connect your "things" directly to the Internet. Instead, use a firewall (if available) to restrict device traffic.