Threat Report

Tuesday September 11, 2018

In this weekly threat report, we’ll cover two topics, 380K British Airways users skimmed by Magecart breach and the Mirai/Gafgyt botnets get upgraded to fly first class with Apache Struts & SonicWall Exploits.

Mirai & Gafgyt get an upgrade

Security researchers uncovered two botnet variants of Mirai and Gafgyt(BASHLITE) with upgraded versions to take advantage of vulnerabilities. Both IoT botnets are associated with DDoS campaigns since November 2016. The Gafgyt version exploits the SonicWall vulnerability (CVE-2018-9866) that affects older unsupported SonicWall Global Management Systems(GMS 8.1 and older).

The Mirai version exploits the same Apache Struts Vulnerability (CVE-2017-5638) associated with the Equifax data breach in 2017 together with 15 other vulnerabilities. These vulnerabilities include Linksys E-Series devices(Remote Code Execution), Avcron NVR Devices(Remote Command Execution), D-Link devices(D-Link RCE), CCTVs & DVRs from 70 vendors(Remote Code Execution), EnGenius EnShare IoT Gigabit Cloud Service 1.4.11(Remote Code Execution), AVTECH IP Camera/NVR/DVR Devices(Unauthenticated Command Injection), Zyxel routers(CVE-2017-6884), NetGain Enterprise Manager7.2.562(Ping Command Injection), NUUO NVRmini 2 3.0.8(OS Command Injection), DGN1000 Netgear routers(Unauthenticated RCE), D-Link devices(HNAP SoapAction-Header Command Execution), D-Link DSL-2750B(OS Command Injection), MVPower DVR(JAWS Webserver authenticated shell command execution), and Dasan GPON routers(CVE-2018-10561, CVE-2018-10562).

Researchers noted that this is the first time the Mirai botnet has targeted a vulnerability in Apache Struts. Researchers have pointed out that the incorporation of exploits targeting Apache Struts and SonicWall could indicate the threat actors are increasingly targeting outdated enterprise devices.

paloaltonetworks

Mitigation Strategies:

British Airways skimmed by Magecart

British Airways recently announced that it suffered a major breach that resulted in customer data theft that impacted roughly 380,000 customers. Names, addresses, email addresses, and payment details of customers with completed transactions from 22:58 BST on August 21 until 21:45 BST on September 5 were compromised. The breach surprisingly didn’t impact passport numbers and other travel data.

Researchers revealed how Magecart threat actor was able to hack the British Airways, like the Ticketmaster breach. As reported, data was stolen directly from the website and mobile app which carries payment forms. Researchers suspect that Magecart used cross-site scripting attack in British Airways’ poorly secured web page component and injected their skimmer code, altering the victim’s site behavior. The attack was tailor-made for the British Airways’ payment page.

Evidence was found that Magecart might have breached the British Airways site days before the skimming began. The attacker’s server used a certificate that was issued on August 15th, days before the reported stardate of August 21, 2018. Researchers warn Magecart uses custom-built attacks for targeted victims, which is a real threat for online payment processing.

Magecart has likely considered other airlines as targets and this is not the first breach in the aviation sector. Aviation sector businesses should consider community defense and evaluate membership in information sharing and analysis centers like A-ISAC.

britishairways

riskiq

a-isac

Mitigation Strategies:

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn