Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Background

Businesses and organizations use content management systems (CMS) and web hosting control panels to simplify the management of websites and deliver improved functionality for site visitors. CMS control panels allow content managers to manage the site at the web application level, such as adding a shopping cart extension for e-commerce functionality. Web hosting control panels are interfaces that allow administrators to manage their web servers and hosted services.

In essence, access to a site’s CMS control panel allows cybercriminals to inject digital skimmers, potentially access payment card data from previous stored transactions, and access CMS user account information, whereas access to web hosting control panels enables cybercriminals to perform the aforementioned activity and potentially conduct more intrusive activities, such as installing malware or remote access trojans (RATs). Installation of a RAT may allow the malicious actor to maintain access to the server even if the login credentials are changed. Additionally, malware installed using administrator-level privileges could perform any number of nefarious activities.

Site administrators access their CMS through its control panel and use their web hosting control panels to access the underlying server, both through the administrator credentials for the respective platform. Therefore, if cybercriminals can acquire one or both of these credential set(s), they can view, exfiltrate, and manipulate any data that the compromised account is authorized to access. Given that many people use the same username and password for multiple systems, cybercriminals may gain access to both panels through discovery of a single set of credentials. In practice, cybercriminals primarily use these types of access for four purposes:

• Magecart infections: Injecting payment card skimmers into e-commerce sites
• Database “dumps”: Exfiltrating sensitive data that has been stored on a site’s web server and databases, including payment card data from previous transactions, users’ personally identifiable information (PII), and administrators’ login credentials
• Ransomware attacks: Leveraging access to these administrator panels to gain access to the victim’s larger network
• Server-based Botnets: Leveraging access to these administrator panels actors can install scripts that perform Distributed Denial-of-Service (DDoS) attacks

Cybercriminals can acquire administrator login credentials through phishing pages, keylogger malware, or manually searching sites for vulnerabilities that they can exploit. These techniques can prove time-consuming and generally require higher levels of technical expertise, therefore a growing market among cybercriminals has emerged for cybercriminal tools that simplify and partially automate the process of acquiring these login credentials. One popular tool that Gemini’s fraud intelligence specialists have been tracking is HackMachine, which first appeared for sale on the dark web in October 2019. HackMachine scans large volumes of websites, automatically identifies those sites with vulnerabilities in their CMS or web hosting control panel, and exploits the vulnerabilities to acquire login credentials.

Key Findings

• The cybercriminal software “HackMachine” provides attackers with a simple-to-use and automated method of gaining access to web applications. Attackers can load target victim domains into the software, whereupon the software scans the sites for known vulnerabilities, collects administrator and user login credentials through multiple types of brute-force attacks, and verifies the validity of the credentials.
• Hackers can leverage access acquired through HackMachine to inject digital payment skimmers, steal stored payment card data from previous transactions, and exfiltrate user databases and personally identifiable information (PII). The types of access acquired through HackMachine can also be used to supplement ransomware attacks.
• HackMachine exploits sites with lax security postures to acquire access to administrator panels; therefore, businesses can mitigate the threat posed by the software by following the best web security practices.
• Gemini has identified actors who purchased and praised HackMachine and then proceeded to sell accesses that were likely acquired through HackMachine. This indicates the software is a current threat to cardholders, financial institutions, and merchants due to its card fraud applications, as well as a threat to companies and organizations due to its ransomware applications.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.