Baka, a new stealthy JS skimmer targets e-Commerce merchants

Web skimming attacks are an ongoing threat to e-Commerce. But Baka skimmer with seven C&C servers and while using an XOR cipher to obfuscate its code pose a major security issue for merchants and their customers alike.

While Visa is warning about a new Baka JS web skimmer, researchers have uncovered an authentication flaw in the company’s EMV

The Baka skimmer contains all essential features that most e-commerce skimming kits are equipped with, such as admin panel, skimming script generator, exfiltration gateway, etc. But the skimmer’s most ‘compelling components’ include its unique loader and obfuscation techniques. It can dynamically load to avoid static malware scanners while using individual encryption parameters’ for every victim to hide the malicious code. It also avoids detection by detaching itself from memory as soon as it identifies the probability of dynamic analysis or after it has finished exfiltrating data.

Encrypted skimming code (Image: Visa)

Visa’s Payment Fraud Disruption (PFD) group identified seven servers actively hosting the malware’s skimming kit. This means the e-commerce skimmer has already affected various merchant websites worldwide. Visa urged e-commerce providers to regularly scan for C&C communications, perform website scanning, and test malware and vulnerabilities. Retailers must restrict access to admin portals and mandatorily enable 2FA authentication.

Visa has even a bigger problem…

A group of academics from the ETH Zurich discovered an authentication flaw in the Visa’s EMV enabled payment cards permits cybercriminals to obtain funds and defraud cardholders as well as merchants illicitly. It is a PIN bypass attack that allows the adversaries to leverage a victim’s stolen or lost credit card for making high-value purchases without knowledge of the card’s PIN, and even trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction.

All modern contactless cards that make use of the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw, but the researchers posited it could apply to EMV protocols implemented by Discover and UnionPay as well. The loophole, however, doesn’t impact Mastercard, American Express, and JCB.

ETH researchers exploited a critical flaw in the card protocol to mount a man-in-the-middle (MitM) attack via an Android app that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device. The issue stems from the fact the Cardholder verification method (CVM) is not cryptographically protected from modification. As a result, the Card Transaction Qualifiers (CTQ) used to determine what CVM check, if any, is required for the transaction can be modified to inform the PoS terminal to override the PIN verification and that the verification was carried out using the cardholder’s device such as a smartwatch or smartphone.

A ‘free lunch’ attack

A second vulnerability, which involves offline contactless transactions carried out by either a Visa or an old Mastercard card, allowing the attacker to alter a specific piece of data called “Application Cryptogram” (AC) before it is delivered to the terminal. These transactions are not connected to an online system and there is a delay of 24 to 72 hours before the bank confirms the transaction’s legitimacy using the cryptogram, and the amount of the purchase is debited from the account.

The criminal can purchase low-value goods or services without actually being charged at all. But considering the low-value nature of these transactions, it is unlikely to become a popular business model for cybercriminals.

Source: 12

New Raccoon attack could let attackers break SSL/TLS encryption

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication.

Dubbed “Raccoon Attack,” the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

The Raccoon attack is a timing attack, where a malicious third-party measures the time needed to perform known cryptographic operations in order to determine parts of the algorithm. In the case of a Raccoon, the target is the Diffie-Hellman key exchange process, with the aim being to recover several bytes of information.

“The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret,” the researchers explained their findings in a paper. “If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem.”

Thus, all servers that use the Diffie-Hellman key exchange in setting up TLS connections are vulnerable to attacks.

However, the academics stated that the vulnerability is hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable. First of all the attacker needs to be close to the target server. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection. It’s a lot to ask for. 

Although, some vendors have already reacted. Microsoft (CVE-2020-1596), Mozilla, OpenSSL (CVE-2020-1968), and F5 Networks (CVE-2020-5929) have released security updates to block Raccoon attacks.

Source: 12

Hackers use legit tool to take over Docker, Kubernetes platforms

A cybercrime group TeamTNT that has previously struck Docker and Kubernetes cloud environments has evolved to repurpose genuine cloud monitoring tools as a backdoor to carry out malicious attacks.

Analyzing the attack, researchers at Intezer discovered that TeamTNT installed Weave Scope open-source tool to gain full control of the victim’s cloud infrastructure. This may be the first time a legitimate third-party tool is abused to play the part of a backdoor in a cloud environment.

Weave Scope integrates seamlessly with Docker, Kubernetes, and the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS). It provides a complete map of processes, containers, and hosts on the server and control over installed applications.

The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server.

Once the attackers found their way in, they set up a new privileged container with a clean Ubuntu image, using it to download and execute cryptominers, gain root access to the server by creating a local privileged user named ‘hilde’ to connect to the server via SSH, and eventually install Weave Scope.

With the utility on the server, TeamTNT could connect to the Weave Scope dashboard via HTTP on port 4040 (default for the Scope app endpoint) and take control.

How to prevent this scenario? It is recommended to close or restrict access policies in the Docker API ports.


Zeppelin Ransomware with a new campaign and infection routine

The newest wave of attack was spotted in August by Juniper Threatlab researchers. The campaign starts with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.

In the latest campaign, snippets of Visual Basic scripts are hidden among garbage text behind various images. The malicious macros parse and extract these scripts, and write them to a file at c:\wordpress\about1.vbs. A second macro then looks for the string “winmgmts:Win32_Process” inside the document text and uses it to execute about1.vbs from disk. About1.vbs is the aforementioned trojan downloader, which ultimately downloads the Zeppelin ransomware onto a victim’s machine.

The binary sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable. Next, the executable checks the computer’s language settings and geolocation of the IP address of the potential victim to avoid infecting computers in Russia, Belarus, Kazakhstan and Ukraine.

Ransomware as a service

Zeppelin is distributed via an affiliate business: The malware is generated via a GUI wizard and offered to distributors in return for a revenue share. Zeppelin attacks are much more targeted than many other RaaS. Attackers first took aim at tech and healthcare companies in Europe and the U.S. The latest campaign has affected around 64 known victims. And the number is growing.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Microsoft September 2020 Patch Tuesday addresses 129 flaws (Security Affairs
2. Windows 10 Sandbox activation enables zero-day vulnerability (Bleeping Computer)
3. Hackers stole 738 GB of data from Australian government agency (Hack Read)
4. France, Japan, New Zealand warn of sudden spike in Emotet attacks (ZDNet)
5. Chilean bank shuts down all branches following ransomware attack (ZDNet
6. Google Squashes Critical Android Media Framework Bug (Threat Post)
7. Meet the Middlemen Who Connect Cybercriminals With Victims (Dark Reading)
8. Fake Facebook email invites you to tell 39 strangers you were duped (Graham Cluley)
9. New CDRThief malware targets VoIP softswitches to steal call detail records (ZDNet)
10. Bluetooth Bug Could Allow MITM Attacks (Infosecurity Magazine)