AN OVERVIEW OF THE ACTORS BEHIND THE LARGEST MAGECART ATTACK (SO FAR!)

  • Previous activity identified that the actors, who appear to be primarily financially motivated, have largely targeted the Magento platform in the past, with some specific targeting of the “v1” version, specifically.
  • Previous eCommerce attacks by the actors appear to target two languages exclusively for the checkout pages: English and Portuguese.
  • Some of their infrastructure has previously been tied to the Brazilian-focused Lampion banking trojan, further reinforcing an interest in the LATAM market.
  • Infrastructure re-use (IPs and Domains) across campaigns.
  • The actors frequently employ homoglyph-style attacks, mimicking various protocols or legitimate web services for their domains.
  • While the targeting of the end-of-life Magento platform appears intentional, is this because the attacker has access to a specific and novel capability (i.e. the ‘Cardbleed’ 0-day attack), or were these platforms previously compromised by the attackers (or perhaps purchased from actors who cultivate network access)?
  • Presently, there are no direct operational linkages which connect the actors conducting the attacks with the seller ‘z3r0day’ and the alleged ‘Cardbleed’ exploit.
  • The actors responsible for the attacks appear to have been carrying out similar attacks prior to 15 August 2020, when the ‘Cardbleed’ exploit was offered for sale.
  • The attacker has previously been shown to reuse specific TTPs and infrastructure, however it is reasonable that an attacker gaining a significant advantage would want to avoid detection as long as possible.
  • The attacker may have felt compelled to act quickly and operate using infrastructure that they deemed reliable.

--

--

--

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security Awareness Training: 6 Key Compliance Requirements

It Is Here To Stay! (Un)comfortingly About Fraud Detection

Malware Analysis Of API Calls Using FGPA Hardware Level Security Model

May 11: Inside Cardstack This Week

Can AI Transform Cybersecurity?

Tracking Your Adversary with a Threat Intelligence Platform

Penetration testing: choosing the right (Linux) tool stack to fix your broken IT security

NOOB 101: History of Secret Network

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.

More from Medium

Your SOAR isn't your SIEM

[Some Interesting] Cloud ‘n Sec news: 25th Mar 22

Cyber Attribution Difficulties, Risks, & Benefits

Red Team Tools 2(FireEye Breach) LetsDefend DFIR Challenge