Silent Skimmer Reemerges: New Tactics Target Payment Gateways - #SilentSkimmer
The Silent Skimmer cyber attack campaign, likely originating from China, has been targeting firms in North America and the Asia-Pacific region, focusing on online payment pages to steal user information such as billing details and credit card numbers. The campaign, which started in the APAC region and expanded to North America and Latin America, exploits vulnerabilities in web applications like the .NET deserialization flaw (CVE-2019-18935) in the Progress Telerik UI for ASP.NET AJAX, and other vulnerabilities in Telerik UI (CVE-2017-11317 and CVE-2019-18935). Attackers use advanced techniques, including deploying remote access tools via PowerShell scripts, web shells, and mixed-mode assemblies, to maintain control and exfiltrate data using services like Cloudflare. The group has also been observed using compiled Python scripts to directly access and exfiltrate payment data from databases, highlighting their technical sophistication. Researchers emphasize the need for organizations to patch known vulnerabilities to mitigate such threats effectively.