Breach, Threat Management, Data Security, Network Security

Report: Hackers used data mining tool, network sniffer to steal Click2Gov information

The malicious actor behind a year-old campaign targeting the web payment portal Click2Gov appears to have been using a malicious webshell, data mining utility program and network sniffer to steal information from users, according to a new report from FireEye researchers.

The researchers note that while the perpetrator's tools and techniques are "generally consistent with other financially motivated attack groups," this particular actor has "demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success."

Originally a product of software company Superion, which was recently acquired by CentralSquare Technologies, Click2Gov is a portal used by government entities to accept payments for permits, licenses, fines and utilities. In October 2017, the company disclosed the discovery of suspicious activity indicative of a breach, and by June 2018 it was widely reported that tens of thousands of local government customers across the country had their information exposed.

In their report, FireEye researchers explain that the attacker likely exploited one or several Oracle Web Logic vulnerabilities to compromise Click2Gov webservers, allowing them at that point to upload a variant of the publicly available SJavaWebManage a webshell to achieve persistence, interact with infected hosts and execute commands.

The variant deviated from the original version in that it had, among other changes, different variable names (possibly to hinder detection), Chinese characters that were altered to English, and the added ability to manipulate timestamps on the server.

For the next step, FireEye reports, the attacker would "restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file," causing the Click2Gov module to log payment card data in plain text to its log files. At this point, the actor would use the webshell to upload and execute a command line data mining utility nicknamed "FIREALARM," which parses the plain-text logs to retrieve payment card data, format it, and print it to the console.

Additionally, the actors would upload "SPOTLIGHT," a network sniffer that improves persistence and data collection, "ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator," the blog post continues.

Although FireEye is unable to connect the attacker with any known threat groups that have similar motives, researchers believe the campaign is likely the work of a team of individuals who "will continue to conduct interactive and financially motivated attacks."

To counter this threat, FireEye recommends that Click2Gov customers exercise diligent patch management, implement a file integrity monitoring solution for e-commerce webservers, and ensure that web service accounts run at least privilege.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.