A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.
Click2Gov, a product developed by Superion, is designed to provide cities “interactive self-service bill-pay options for utilities, community development and finance.”
The first reports of breaches at Click2Gov customers emerged in October 2017, when Superion published a statement saying that suspicious activity had been detected at some customers using on-premise servers. The company said its investigation, which had been assisted by a PCI forensic investigation firm, had not found any evidence of credit card scrapers or credit card data extraction.
In a follow-up statement published in June 2018, Superion said it had released a patch for its own software and provided customers with patches for a third-party software used by Click2Gov in order to address the vulnerabilities exploited by the attackers.
Risk Based Security reported in June, just before Superion published its follow-up statement, that at least 10 cities in the United States had notified citizens that their payment information had been exposed as a result of an attack aimed at Click2Gov. Some even reported fraudulent transactions that may have resulted from these incidents.
Axios’ Codebook reported a few days later that the third-party software referenced by Superion was Oracle WebLogic, which has been known to be plagued by several vulnerabilities exploited by malicious actors for various purposes.
FireEye has also been tracking the Click2Gov attacks and notes that additional victims have been identified since June. The security firm has found and analyzed the malware used by the attackers, which it has described as “moderately sophisticated.”
FireEye says the attacks have been carried out by a financially motivated group that it has not seen until now.
Based on its analysis, FireEye believes the attack likely starts with exploitation of an Oracle WebLogic vulnerability – candidates include CVE-2017-3248, CVE-2017-3506 and CVE-2017-10271 – that allows the hackers to compromise Click2Gov webservers and upload arbitrary files.
Once they gain access, they upload a web shell named SJavaWebManage to interact with the server and enable debug mode in a Click2Gov configuration file so that the software writes payment card information to a log file in plain text.
Next, the attackers upload a tool tracked by FireEye as FIREALARM to parse these log files and exfiltrate the harvested credit card data. Additionally, the cybercriminals leverage a tool named SPOTLIGHT to intercept payment cards from HTTP network traffic.
The security firm says all of these malware families have very low detection rates based on VirusTotal data.
The company believes the campaign is the work of a group rather than a single individual based on the wide range of skills needed to pull off the attacks.
“The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application,” FireEye said in a blog post. “Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker.”
“Although the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success,” the company added.