Click2Gov servers planted with malware that steals payment card information

• Hackers have been targeting Click2Gov web payment portal to steal credit card information.
• Hackers likely exploited Oracle Web Logic server vulnerabilities to upload arbitrary files or achieve remote access to Click2Gov webservers.

Click2Gov, a widely used payment software for processing payments related to local government services such as utilities, building permits, and a business license, has been targeted by hackers. The web-based interactive self-service software developed by US software supplier Superion has been exploited recently in multiple data breaches attempts with an intent to steal credit card information.

Security firm FireEye confirmed in a recent report, an unknown group of hackers had cracked down into Click2Gov servers and placed notorious malware that stole credit card details. FireEye investigators said, “It is not known how the attacker compromised the Click2Gov web servers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access.”

FireEye also confirmed that Click2Gov portals had been targeted by this new hacker group for almost a year.

The first official statement confirming the campaign was released by Superion on October 2017. However, numerous media reports published in mid-June also pointed out at least seven Click2Gov customers who were possibly affected by this campaign and complained that their credit card information has been stolen.

Later, Superion released a statement informing their affected customers. The company had also deployed patches to Click2Gov software by working along with a third party forensic firm. But since then, several more local government sites were identified as victims of the malware.

Attack method

According to security researchers from FireEye, the attack vector begins when the hacker uploads an SJavaWebManage web shell command to start communicating with the compromised server. “Through interaction with the web shell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files,” researchers said.

Furthermore, the attacker also uses a tool named FIREALARM - named by FireEye researchers - to retrieve the log file containing payment information. Once collected the data is encoded and exfiltrated by the hacker.

Researchers also added, “The attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic.”

Nick Richard, the principal threat intelligence analyst at FireEye, told TechCrunch, “Any web server running an unpatched version of Oracle WebLogic would be vulnerable to exploitation, thus allowing an attacker to access the web server to manipulate Click2Gov configuration settings and upload malware.”

The attack lifecycle employed by the hacker group is consistent and hence researchers predict that not a single individual, but a team is to be involved in the campaign. Researchers also anticipate that the hackers will “continue to conduct interactive and financially motivated attacks.”