Client-side Kill Chain – JavaScript Malware Attack Defense
I’ve been in the cybersecurity products and services industry for close to a decade and I have quite a few fond memories learning from talented security practitioners. In 2015, I found myself working with Andy Pendergast at ThreatConnect. At the time, I was new to the cyber threat intelligence (CTI) space and starting from scratch. (As a little background, Andy is one of the fine folks who developed the Diamond Model for Intrusion Analysis and is considered to be a veritable cybersecurity encyclopedia among his peers.) Andy took me under his wing to teach me the CTI and cybersecurity ropes. One of the first things he taught me was the value of applying a cyber defense framework, such as the Lockheed Martin’s Cyber Kill Chain, to the threat detection and mitigation process.
Client-side attacks are on the rise. The majority of them use some form of JavaScript to deliver malware in order to collect data from unsuspecting users and then send it to command and control domains for processing. Client-side attacks need to be managed similarly to more traditional server-side cyberattacks. Since client-side attacks like Magecart, cross-site scripting, and formjacking are becoming more and more prevalent, I’d like to walk you through an example of how to use the Lockheed Martin Cyber Kill Chain to map out and defend against a skimming attack using JavaScript malware.
1. Reconnaissance
During the reconnaissance stage, threat actors research a variety of e-commerce websites to determine the types of first- and third-party scripts that comprise the coding. From their research, they determine that a number of these websites use a specific open-source, third-party JavaScript on payment pages to enhance the user experience. The threat actors determine that they can build or buy a specific JavaScript malware that can skim customer information from the page at the point of purchase, and automatically send that information to their command and control domain.
2. Weaponization
The weaponization phase involves the threat actors hunting for Magecart-like malware available for purchase on the dark web. The malware kit costs $1,000. They decide to acquire the JavaScript malware kit, since it has been proven to work over the past year for similar third-party scripts. After acquiring the malware, they find the correct open-source script on GitHub to corrupt.
3. Delivery
The delivery process involves the threat actors corrupting the open-source, third-party JavaScript code in the GitHub library where it is openly shared. Now every website that uses this third-party script is part of a drive-by web skimming attack, since the web application owner is unintentionally delivering the skimming malware via the infected GitHub JavaScript code.
4. Exploitation
The threat actors have now introduced a severe vulnerability into the web applications of multiple e-commerce businesses with the intent of exploiting this vulnerability to its fullest. Server-side security technologies are unable to find the malware, because this malicious JavaScript code resides on the client side. The threat actors sit back and wait for the target e-commerce web pages to refresh, so that exploitation, aka data skimming, can begin.
5. Installation
As soon as the e-commerce web applications refresh, the malicious JavaScript code is loaded in the user’s browser. This is outside of the businesses security teams’ oversight and purview. The JavaScript malware is now able to receive commands from the threat actors’ command and control server.
6. Command and control
The threat actors can now execute commands from their command and control server to start collecting data. The threat actors can also monitor all web applications infected by their third-party JavaScript code and can adjust the malware to provide them with as much value as possible.
7. Action on objectives
Unfortunately, the threat actors’ JavaScript malware campaign goes unnoticed for three months. The third-party script they targeted only gets updated quarterly, so they have plenty of time to collect credit card information. Over the span of three months, the threat actors accumulate 2000 credit card records. They decide to sell them on the dark web for $200 each, netting them a profit of $399,000.
In 2019, I went through the Certified Ethical Hacker training program while working at Accenture Security. Going through the training does not qualify me to actually be a pentester or cybersecurity analyst, however, it did teach me one very important thing—how important it is to understand how cybercriminals, hackers, or other threat actors think and how they operate. Not every client-side attack follows the Cyber Kill Chain model as closely as outlined above, but having a rough understanding of how threat actors execute client-side attacks can be very helpful.
To learn more about client side security and to better protect your customers from threats like the one described above, take some time to explore the Feroot security tools Inspector and Pageguard. If you would like to see our products in action, please request a demo here: link.
The post Client-side Kill Chain – JavaScript Malware Attack Defense appeared first on Feroot.
*** This is a Security Bloggers Network syndicated blog from Feroot authored by [email protected]. Read the original post at: https://www.feroot.com/blog/client-side-kill-chain/
