THREAT ALERT: "HACK MACHIENE" SOLD ON THE DARK WEB, ENABLES FRAUD AND CYBER INTRUSIONS.
Businesses and organizations use content management systems (CMS) and web hosting control panels to simplify the management of websites and deliver improved functionality for site visitors. CMS control panels allow content managers to manage the site at the web application level, such as adding a shopping cart extension for e-commerce functionality. Web hosting control panels are interfaces that allow administrators to manage their web servers and hosted services.
In essence, access to a site’s CMS control panel allows cybercriminals to inject digital skimmers, potentially access payment card data from previous stored transactions, and access CMS user account information, whereas access to web hosting control panels enables cybercriminals to perform the aforementioned activity and potentially conduct more intrusive activities, such as installing malware or remote access trojans (RATs). Installation of a RAT may allow the malicious actor to maintain access to the server even if the login credentials are changed. Additionally, malware installed using administrator-level privileges could perform any number of nefarious activities.
Site administrators access their CMS through its control panel and use their web hosting control panels to access the underlying server, both through the administrator credentials for the respective platform. Therefore, if cybercriminals can acquire one or both of these credential set(s), they can view, exfiltrate, and manipulate any data that the compromised account is authorized to access. Given that many people use the same username and password for multiple systems, cybercriminals may gain access to both panels through discovery of a single set of credentials. In practice, cybercriminals primarily use these types of access for four purposes:
Magecart infections: Injecting payment card skimmers into e-commerce sites
Database “dumps”: Exfiltrating sensitive data that has been stored on a site’s web server and databases, including payment card data from previous transactions, users’ personally identifiable information (PII), and administrators’ login credentials
Ransomware attacks: Leveraging access to these administrator panels to gain access to the victim’s larger network
Server-based Botnets: Leveraging access to these administrator panels actors can install scripts that perform Distributed Denial-of-Service (DDoS) attacks
Cybercriminals can acquire administrator login credentials through phishing pages, keylogger malware, or manually searching sites for vulnerabilities that they can exploit. These techniques can prove time-consuming and generally require higher levels of technical expertise, therefore a growing market among cybercriminals has emerged for cybercriminal tools that simplify and partially automate the process of acquiring these login credentials. One popular tool that *Gemini’s fraud intelligence specialists have been tracking is HackMachine, which first appeared for sale on the dark web in October 2019. HackMachine scans large volumes of websites, automatically identifies those sites with vulnerabilities in their CMS or web hosting control panel, and exploits the vulnerabilities to acquire login credentials.
How HackMachine Works
According to the actor behind HackMachine, the software was originally written for a private client, but then the actor decided to offer the software as a commercial product. The software provides attackers with a simple-to-use and automated method of gaining access to web applications and servers. Attackers can load target victim domains into the software, whereupon the software scans the sites for known vulnerabilities, collects administrator and user login credentials through multiple types of brute-force attacks, and verifies the validity of the credentials.
In addition to collecting login credentials, HackMachine includes a feature for performing SQL injections, a type of attack that utilizes specialized queries to obtain data from the database outside of its normal usage. This type of attack typically sends queries to web-form handlers on the server and exploits vulnerabilities in how the site validates data requests being forwarded to the database. In some instances, an SQL Injection can result in a reverse shell (command prompt) being granted to the attacker. If successful, the attacker would be able to execute scripts on the site’s server with the privilege level of the database service account. Depending on the privilege level of the SQL service account, this type of attack and the access to a reverse shell could grant an attacker nearly unlimited access to the web server database and potentially the filesystem of the server.
The actor behind HackMachine indicated in their posts that HackMachine can gain access to sites that use the CMSes WordPress, DataLife Engine, Joomla, and Drupal, as well as those using File Transfer Protocol (FTP) servers. Originally released on the forum Exploit in October 2019, the actor behind HackMachine has continually provided updates for HackMachine and released three supplemental applications: “All Checker WordPress”, “All Checker WHM/CPanel”, and “Exploiter”. The three supplemental applications provide attackers with additional functionalities designed to expand the scope and efficiency of their attacks. All four applications have an English-language interface and include support and documentation in English and Russian. HackMachine costs $300, Exploiter costs $200, and All Checker WordPress and All Checker WHM/CPanel each cost $100.
All Checker WordPress
All Checker WordPress enables attackers to filter results by keywords. In practice, this means attackers can filter for only administrative accounts of sites in which the WooCommerce plugin is installed, which would indicate the site is an online store. The application can also determine account types, install additional plugins, and generate statistics for the number of posts and orders made on the site and the turnover of goods and customers. The most common use case for this tool is for Magecart infections.
All Checker WHM/CPanel
All Checker WHM/CPanel is a utility that checks the validity of login credentials from data received from HackMachine, and searches and retrieves domains within cPanel as well as Web Hosting Manager (WHM) accounts. For sites on which the server is administered through cPanel or WHM, credentials at this level would grant the attacker full administrative permissions to the server, including network configuration, file system management, database management, user management, autorun applications, and more. Due to the fact that WHM and cPanel control panels grant hackers wide access to the victim’s web infrastructure, this tool could enable Magecart infections, database exfiltration, and ransomware-related activity.
In January 2021, the actor behind HackMachine created a post in which they indicated that they would divide the capabilities of HackMachine and create another separate tool called Exploiter. Exploiter is a powerful utility for bulk domain processing that allows attackers to:
Search for admin areas and vulnerable sites
Search for files and download them
Find shells and file upload forms
Similar to All Checker WHM/CPanel, the types of access and information gathered through Exploiter enable hackers to perform Magecart infections, database exfiltration, and ransomware-related activity.
Criminal Use Cases for HackMachine
As noted above, HackMachine identifies vulnerabilities in websites and exploits these vulnerabilities to acquire login credentials for the site’s CMSes, WHM panels, and cPanel control panels. Once a hacker has gained access to a vulnerable site through these credentials, they can leverage the access to perform criminal activity relating to card fraud and in some cases, escalate the access to conduct ransomware attacks. On the card fraud side, the two major use cases for HackMachine are Magecart infections, which refer to the injection of digital payment card skimmers, and payment card database “dumps”, which refer to exfiltrating payment card data and PII from previous transactions that an e-commerce site has stored on its site.
Card fraud is increasingly shifting from Card Present (CP or “in-person”) transactions to Card Not Present (CNP or “online”) transactions, and the COVID-19 pandemic and corresponding quarantine restrictions have further accelerated this shift. A significant portion of payment cards compromised through CNP transactions come from Magecart digital skimming attacks, which involve hackers injecting malicious code into e-commerce sites to steal payment card data from sites’ customers. This data is then exfiltrated to the hacker’s own infrastructure and sold on the dark web. According to Gemini’s card fraud detection data, the median infection period for victimized US-based e-commerce sites is 183 days, giving cybercriminals ample time to compromise large volumes of payment cards.
HackMachine directly facilitates the propagation of Magecart infections by handing cybercriminals the keys to an e-commerce site: login credentials for CMSes and web hosting control panels. With access to the website management tools, cybercriminals can inject malicious scripts directly into the site or the site’s web servers. Through a variety of different methods, these scripts deploy and execute digital payment card skimmers to compromise customers’ payment card data and PII. Importantly, cybercriminal access to these website management tools does not directly translate to a successful Magecart infection because e-commerce sites may have security precautions in place to monitor and mitigate suspicious activity. Nevertheless, Gemini Advisory has identified over 7,500 e-commerce sites with Magecart infections in the past year, signalling that lax security from merchants has allowed this attack method to propagate.
Furthermore, through dark web monitoring, *Gemini analysts have identified several threat actors who indicated that they purchased HackMachine and then went on to sell access to compromised e-commerce sites on dark web forums. In the forum posts advertising the sales, the actors did not specifically identify their victims but typically noted several factors contributing to the potential criminal profitability of the victimized e-commerce site, such as the victimized site’s country, volume of transactions, and the checkout page’s payment method. The price of access to a single site ranged from several hundred dollars to several thousand dollars.
Additionally, access to a site’s web server or CMS control panel could enable cybercriminals to use the compromised server as a file repository for Magecart payment card skimmer scripts. With this tactic, the actors inject a link to the script into another compromised e-commerce site so that when a customer’s browser opens the infected page, the browser loads the skimmer from the link and executes it. Alternatively, actors could use the compromised web server as the destination for exfiltrated payment card data skimmed for other sites. More broadly, actors could also use the servers as command-and-control (C2) servers for botnets, various types of malware distribution, and other purposes.
e-Commerce sites frequently choose to store payment card data and PII from previous transactions on their web servers for marketing purposes. However, with access to e-commerce sites’ web servers through HackMachine, cybercriminals can exfiltrate the data from the web servers and then sell the data on dark web marketplaces. Crucially, the Payment Card Industry Data Security Standard, which aids in fraud management by establishing standards for the types of card data that merchants are allowed to store, prohibits e-commerce sites from storing customers’ CVV data. As a result, payment card data compromised with this attack method typically does not include CVV data, which limits cybercriminals’ options for monetizing the stolen records and drives down the price of the records on the dark web.
*Gemini recently reported on the breach of Cardpool, a now-closed gift card marketplace where individuals could sell unwanted gift cards to the shop and others could buy them. While there is no evidence to suggest that the threat actors behind the breach used HackMachine, the evidence from the breach strongly indicates that the actors compromised 330,000 payment cards by gaining access to the site’s database, showcasing the threat posed by this attack method. More broadly, dark web actors regularly sell large sets of compromised CNP payment cards on dark web forums that do not contain CVV data, a strong indicator for CNP records that the records originated from a breach of an e-commerce site’s payment card database.
More broadly, Gemini sources have also observed actors who strongly indicated they purchased HackMachine and then proceeded to sell access to databases of various companies. Depending on the company, these databases could contain a wide range of sensitive data including:
Employee or client login credentials that the company chose to store on an internet-facing server (a practice that should be avoided)
User data, including client and customer PII
Additionally, access to a company’s web server could open access to areas of the file system containing sensitive documentation, such as:
Financial documents of the victim company and clients, opening the door for a highly lucrative account takeover of business accounts
Tax documents of employees containing PII
Sensitive research and technology information allowing for reverse engineering of products or production of counterfeits.
Sensitive business information that could be used to gain an advantage during contract negotiations or possibly to blackmail company representatives
Lastly, access to a company’s database and web server may give hackers the crucial information they need to pivot into the next use case: ransomware.
Ransomware attacks against corporations and government bodies continue to disrupt business and threaten national security across the globe. Threat actors achieve these disruptions by gaining access to victims’ networks and systems, encrypting the data, and in some cases, threatening to publicly publish the victim’s data if they do not pay the ransom. Actors gain initial access to a victim’s network through a variety of means, most commonly through phishing emails sent to company employees that include a malware-infected link or attachment. From there, the actors establish a backdoor to the network, strengthen their presence, and eventually encrypt the victim’s data and issue their ransom demand.
Based on how HackMachine is marketed and analysis of actors who indicated they purchased HackMachine and proceeded to sell access to administrator panels on the dark web, the majority of hackers very likely use HackMachine for criminal activity related to card fraud and not for ransomware attacks. The main reason is that for the majority of large lucrative targets, it would be difficult for an attacker to pivot access to a web server or administrator panel into access to the larger corporate network.
However, *Gemini identified a dark web actor who strongly indicated they purchased HackMachine and then went on to create dark web forum posts seeking pentesters and network specialists to join their team and inquire about the details of several tools used for gaining remote access to victim’s systems. While the actor did not explicitly state that they were involved in ransomware attacks, an actor planning to carry out ransomware attacks would seek out exactly these types of specialists and tools.
The main use case for HackMachine in ransomware attacks is to supplement the opening stage of gaining initial access to a victim network. With access to a company’s web server, hackers could upload a malware-infected file onto the server in the hopes that an employee would download the file to a device within the greater corporate network. From there, the hackers could proceed with their typical workflow.
Alternatively, the hackers could collect information about the victim company and its employees from the web server and then craft tailored phishing emails that employees would be more likely to open. Within this context, actors on dark web forums regularly offer access to companies, such as law firms or IT companies, that are clients of larger lucrative targets. These types of access could be acquired from HackMachine or similar tools, and hackers could use the information stored on these companies’ web servers to distribute highly credible malware-infected phishing emails.
From a technical perspective, HackMachine is a relatively simple tool that provides hackers access to web applications and servers by exploiting known vulnerabilities in websites and bruteforcing simplistic passwords. Therefore, businesses and organizations can largely mitigate the risks posed from HackMachine by following the best practices for web security and fraud prevention. Listed below are some of the simpler best practices that site administrators should employ:
Ensure CMSes and any additional plugins are up to date and patched
Disable shell access for WHM panels and secure SSH ports
Protect admin credentials:
Use different usernames and passwords for WHM, cPanel, and CMS panels
Use strong passwords
Enable Multi-Factor Authentication (MFA) where possible
Monitor logins through these credentials according to the time of login, source IP, and activities once authenticated
Monitor web server’s running services for changes or new items
Monitor the filesystem for changes to files or new files
Monitor network activity:
Server initiated connections should be evaluated as they are not typical
Connection attempts at a high rate to login pages could indicate brute-forcing and should be researched
Higher-than-usual data transfer amounts over single connections should be reviewed
At its core, HackMachine is a simple but relatively professional tool for obtaining remote access to the CMSes of web pages and databases. Depending on the victim, cybercriminals can leverage access gained through HackMachine to conduct activities related to card fraud, such as injecting payment skimmers and exfiltrating stored payment card data and PII, or to escalate their privileges to perform more sophisticated schemes, such as ransomware attacks. Although these types of criminal activity require varying levels of technical expertise, tools like HackMachine simplify the process and increase the pool of potential attackers. Furthermore, as shown by the link between several actors and HackMachine, these tools directly enable cybercriminals to gain unauthorized access to sites and web databases, which they can later monetize on dark web forums.
*Gemini Advisory is a Recorded Futures Company based in Miami, Florida USA
DISCLAIMER* Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, other members of the 5 Eyes Alliance, the Australian Cyber Security Centers, and other sources in 56 countries who provide cyber breach and cyber security information in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.