Learn How “HackMachine” Enables Fraud and Cyber Intrusions


Posted on July 15, 2021 by Jonathan Coronado


Learn How “HackMachine” Enables Fraud and Cyber Intrusions

Learn How "HackMachine" Enables Fraud and Cyber Intrusions

Key Findings

  • The cybercriminal software "HackMachine" provides attackers with a simple-to-use and automated method of gaining access to web applications. Attackers can load target victim domains into the software, whereupon the software scans the sites for known vulnerabilities, collects administrator and user login credentials through multiple types of brute-force attacks.
  • Hackers can leverage access acquired through HackMachine to inject skimmers, steal stored payment card data from previous transactions, and exfiltrate user databases and personally identifiable information (PII). The types of access acquired through HackMachine can also be used to supplement ransomware attacks.
  • HackMachine exploits sites with lax security postures to acquire access to administrator panels; therefore, businesses can mitigate the threat posed by the software by following the best web security practices.
  • Gemini has identified actors who purchased and praised HackMachine and then proceeded to sell accesses that were likely acquired through HackMachine. This indicates the software is a current threat to cardholders, financial institutions, and merchants due to its card fraud applications, as well as a threat to companies and organizations due to its ransomware applications.

Background

Content management systems (CMS) and web hosting control panels are used by businesses to simplify the management of websites while providing improved functionality for people browsing those sites. CMS allow content managers to manage site-based functions at the app level, like adding an e-commerce shopping cart extension. Web hosting control panels give administrators more power over their servers and hosted

A site's CMS control panel allows cybercriminals to inject digital skimmers, access payment card data from previous stored transactions, and gain user account information. An access to the web hosting control panel enables them to perform these activities and then conduct more intrusive activities like installing malware or remote access trojans (RATs). Installation of a RAT may allow the malicious actor to maintain access to the server even if the login credentials are changed. Additionally, malware installed using administrator-level privileges could perform any number of nefarious activities.

Using the Site Administration dashboard, CMS users can adjust the site's structure and edit its content. Users with system administration privileges on a web server will have access to respective server files and settings as well. Therefore, if cybercriminals can acquire one or both of these credential set(s), they can view, exfiltrate, and manipulate any data that the compromised account is authorized to access. Given that many people use the same username and password for multiple systems, cybercriminals may gain access to both panels through discovery of a single set of credentials. In practice, cybercriminals primarily use these types of access for four purposes:

  • Magecart infections: Injecting payment card skimmers into e-commerce sites
  • Database “dumps”: Exfiltrating sensitive data that has been stored on a site’s web server and databases, including payment card data from previous transactions, users’ personally identifiable information (PII), and administrators’ login credentials
  • Ransomware attacks: Leveraging access to these administrator panels to gain access to the victim’s larger network
  • Server-based Botnets: Leveraging access to these administrator panels actors can install scripts that perform Distributed Denial-of-Service (DDoS) attacks

How HackMachine Works

The actor behind HackMachine revealed that the software was originally written for a private client before being released commercially. The software is used by attackers to gain access to web applications and servers, which is simple-to-use and automated. Attackers can load target victim domains into the software, whereupon the software scans the sites for known vulnerabilities, collects administrator and user login credentials through multiple types of brute-force attacks, and verifies the validity of the credentials.

HackMachine is a new malware that, in addition to stealing login information, performs SQL injections. This type of attack typically sends queries to web-form handlers on the server and exploits vulnerabilities in how the site validates data requests being forwarded to the database. In some instances, an SQL Injection can result in a reverse shell (command prompt) being granted to the attacker. If successful, the attacker would be able to execute scripts on the site’s server with the privilege level of the database service account. Statistics are no surprise, but there is a definite rise in the number of attacks happening to SQL databases on servers. The privilege level of the attacker's service account could open up nearly unlimited access to not just your database.

The actor behind HackMachine indicated in their posts that the site is able to take down sites using CMSes WordPress, DataLife Engine, Joomla, and Drupal, as well as those with FTP (File Transfer Protocol) servers.

HackMachine

Originally released on the Exploit forum in October 2019, HackMachine has continued to be updated and three supplemental applications have been released. “All Checker WordPress”, “All Checker WHM/CPanel”, and “Exploiter”. The three supplemental applications provide attackers with additional functionalities designed to expand the scope and efficiency of their attacks. All four applications have an English-language interface and include support and documentation in English and Russian. HackMachine costs $300, Exploiter costs $200, and All Checker WordPress and All Checker WHM/CPanel each cost $100. 

How All Checker Wordpress Works

All Checker WordPress enables attackers to filter results by keywords. In practice, this means attackers can filter for only administrative accounts of sites in which the WooCommerce plugin is installed, which would indicate the site is an online store. The application can also determine account types, install additional plugins, and generate statistics for the number of posts and orders made on the site. The most common use case for this tool is for Magecart infections.

How All Checker WHM/CPanel Works

All Checker WHM/CPanel is a utility that checks the validity of login credentials from data received from HackMachine, and searches through cPanel or Web Hosting Manager (WHM) accounts. For sites on which the server is administered through cPanel or WHM, credentials at this level would grant the attacker full administrative permissions to the server, including network configuration, file system management, database management, user management, autorun applications, and more. The hacking tool could grant hackers access to the victim’s web infrastructure, even going so far as Magecart infections and data exfiltration.

How Exploiter Works

In January 2021, the actor behind HackMachine made a post in which they indicated that they would divide the capabilities of HackMachine and create another new tool called Exploiter. Exploiter is a powerful utility for bulk domain processing that allows attackers to:

  • Sort databases
  • Search for admin areas and vulnerable sites
  • Extract shops
  • Search for files and download them
  • Find shells and file upload forms

Similar to All Checker WHM/CPanel, the types of access and information gathered through Exploiter enable hackers to perform Magecart infections, database exfiltration, and ransomware-related activity.

How Criminal Use Cases is Threatening HackMachine.

As noted above, HackMachine identifies vulnerabilities in websites and exploits these vulnerabilities to acquire login credentials for the site’s CMSes, WHM panels, and cPanel control panels. Once a hacker has gained access to your account and stolen your passwords, they can leverage this information for malicious purposes like credit card fraud and in some cases initiate a ransomware attack.On the card fraud side, the two major use cases for HackMachine are Magecart infections, which refer to the injection of digital payment card skimmers, and payment card database “dumps”, which refer to exfiltrating payment card data and PII from previous transactions that an e-commerce site has stored on its site.

Magecart Infections

Card fraud is steadily shifting from in-person transactions to online transactions, and the COVID-19 virus pandemic has increased this shift. A great number of payment cards compromised through these attacks come from Magecart digital skimming, which involve hackers inserting malicious code into e-commerce sites to steal payment card data from customers’ purchases. This data is then exfiltrated to the hacker’s own infrastructure and sold on the dark web. According to Gemini’s card fraud data, the median time from when an e-commerce site is compromised to when they are notified of a security incident is 183 days; this usually provides cybercriminals with ample time to store and use large quantities of stolen payment cards.

HackMachine

Gemini Advisory has identified over 7,500 e-commerce sites with Magecart infections in the past year. Risks include having lax security and not spotting an attack when it happens.

Furthermore, Gemini analysts have identified that several actors who purchased HackMachine went on to sell access to compromised e-commerce sites on dark web forums. In the forum posts advertising the sales, the actors did not specifically identify their victims but typically noted several factors contributing to the potential criminal profitability of the victimized e-commerce site, such as the victimized site’s country, volume of transactions, and the checkout page’s payment method. The price of a single website ranged from $400 to $3,000

Additionally, having access to a website's web server or CMS control panel would enable cybercriminals to use the compromised machine as a file repository for Magecart payment-card skimmer scripts.With this tactic, the actors inject a link to the script into another compromised e-commerce site so that when a customer’s browser opens the infected page, the browser loads the skimmer from the link and executes it. Alternatively, actors could use the compromised web server as the destination for exfiltrated payment card data skimmed for other sites. More broadly, actors could also use the servers as command-and-control (C2) servers for botnets, various types of malware distribution, and other purposes.

What is Database “Dumps”

Gemini recently reported on the breach of Cardpool, a now-closed gift card marketplace where those who had unwanted gift cards could sell them to the shop. People looking for these types of deals could also buy the cards from other sellers.

While there is no evidence to suggest that the threat actors behind the breach used HackMachine, the evidence from the breach strongly indicates that the actors compromised 330,000 payment cards by gaining access to the site’s database, showcasing the threat posed by this attack method.

In general, dark web actors often sell large sets of compromised payment cards on dark web forums that do not contain CVV data. This is a strong indicator for compromised credit card records originating from an e-commerce site's payment card database.

The Gemini project has observed actors who claim they purchased HackMachine and then sell access to databases of various companies.Depending on the company, these databases could contain a wide range of sensitive data including:

  • Employee or client login credentials that the company chose to store on an internet-facing server (a practice that should be avoided)
  • User data, including client and customer PII

Additionally, access to a company’s web server could open access to areas of the file system containing sensitive documentation, such as:

  • Financial documents of the victim company and clients, opening the door for a highly lucrative account takeover of business accounts
  • Tax documents of employees containing PII
  • Sensitive research and technology information allowing for reverse engineering of products or production of counterfeits.
  • Sensitive business information that could be used to gain an advantage during contract negotiations or possibly to blackmail company representatives.

Lastly, access to a company’s database and web server may give hackers the crucial information they need to pivot into the next use case: ransomware.

What is Ransomware?

Ransomware attacks on corporations and government agencies around the world continue to disrupt business and pose a threat to national security. Threat actors achieve these disruptions by gaining access to victims’ networks and systems, encrypting the data, and in some cases, threatening to publicly publish the victim’s data if they do not pay the ransom. Actors often begin initial access to a victim's network through one of many means, most commonly by targeting employees with successful phishing emails. From there, the actors establish a backdoor to the network, strengthen their presence, and eventually encrypt the victim’s data and issue their ransom demand.

Based on how HackMachine is marketed and analysis of actors who indicated they purchased HackMachine and proceeded to sell access to administrator panels on the dark web, the majority of hackers very likely use HackMachine for criminal activity related to card fraud and not for ransomware attacks. For most large, franchisable opportunities, it would be difficult for an attacker to gain access to a web server or administrator panel and then use that as leverage to tap into the larger network.

While the actor did not explicitly state that they were involved in ransomware attacks, an actor planning to carry out ransomware attacks would seek out exactly these types of specialists and tools. 

The main use case for HackMachine in ransomware attacks is to supplement the opening stage of gaining initial access to a victim network. With access to a company’s web server, hackers could upload a malware-infected file onto the server in the hopes that an employee would download the file to a device within the greater corporate network. From there, the hackers could proceed with their typical workflow. 

Luckily we at ChatFortress are here to help Detect and Respond to cyber threats faster with our Autonomous End-point Breach Protection.

Let our team monitor and detect cybersecurity threats against your network, users, files and hosts 24/7 via our ThreatFortress Cynet360 XDR and Response Automation platform.

ThreatFortress

Detect and Respond to cyber threats faster with our Autonomous End-point Breach Protection. Let our team monitor and detect cybersecurity threats against your network, users, files and hosts 24/7 via our ThreatFortress Cynet360 XDR and Response Automation platform.

Email Guardian

Detect and Remove BAD Emails from your inbox in 3 Seconds or less! ChatFortress is the world’s first automated phishing, prevention, detection and response platform combining humans and machine intelligence with machine learning to automatically analyze, detect and remove malicious emails before and after they land in the inbox using a multi-layered and automated approach.


Conclusion

HackMachine is a simple but professional tool that enables you to remotely access the content management systems and databases of web pages. Depending on the victim, cybercriminals can leverage access gained through HackMachine to conduct activities related to card fraud, such as injecting payment skimmers and exfiltrating stored payment card data and PII, or to escalate their privileges to perform more sophisticated schemes, such as ransomware attacks. Although these types of criminal activity require varying levels of technical expertise, tools like HackMachine simplify the process and increase the pool of potential attackers.Furthermore, as shown by the link between several actors and HackMachine, these tools directly enable cybercriminals to gain unauthorized access to sites and web databases, which they can later monetize on dark web forums. 

We at ChatFortress provides you the confidence that your company will survive a ransom attack. We have a cybersecurity response plan in case of real-world threats such as ransomware and malware.

Schedule a time now to discuss how we can give you confidence in your cybersecurity response plans.

Who is ChatFortress

ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.


Search
Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

commoncybersecuritymistakes
Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business