0
A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US.
In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details.
Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it’s used to handle payments for utility bills, permits, fines, and more.
Also: UK watchdog has not issued any GDPR data breach-related fines yet
FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company’s investigators believe hackers are using one or more vulnerabilities in one of Click2Gov’s components –the Oracle WebLogic Java EE application server– to gain a foothold and install a web shell named SJavaWebManage on hacked portals.
Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov’s debug mode, which, in turn, starts logging payment transactions, card details included.
Hackers then use the same shell to upload two never-before-seen malware strains –FIREALARM and SPOTLIGHT, on the same server. The former can parse Click2Gov logs for payment card data, while the latter can detect and extract payment details from HTTP network traffic.
CNET: State Department email data breach exposes employee data
Today’s FireEye report is nothing new but a mere confirmation and breakdown of the attackers’ methods. There have been numerous media reports that Click2Gov portals have been getting hacked left and right.
Superion itself released a statement in October 2017 about suspicious activity on a number of customer portals, claiming it was investigating the incidents.
In June, Risk Based Security, another cyber-security firm, published a report about breaches at nine US cities, which they say, they tracked to Click2Gov portals.
Superion didn’t answer the accusations, but the company did release a Click2Gov patch a day after Risk Based Security’s report, on June 15.
After FireEye’s report today, Risk Based Security published a second report, with another nine cities that reported Click2Gov security incident.
TechRepublic: Why 31% of data breaches lead to employees getting fired
FireEye didn’t release an official list of Click2Gov portals where the company identified the hackers’ malware, but according to Risk Based Security, town municipalities appear to be doing their duty and notifying affected users.
As for the hackers, FireEye claims that “while it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign.”
The company bases its assessment on the large number of skills and the time it would have been needed to write all the malware and pull off all the hacks, something very difficult for one individual alone.
News of the Click2Gov hacks comes days after a similar incident has been reported affecting the GovPayNow portal.
Related coverage:
Magecart claims another victim in Newegg merchant data theftBroadcaster ABS-CBN customer data stolen, sent to Russian serversFeedify becomes latest victim of the Magecart malware campaignBritish Airways breach caused by the same group that hit TicketmasterTicketmaster breach was part of a larger credit card skimming effort, analysis shows
Related Topics:
Government
Security TV
Data Management
CXO
Data Centers
0