A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US.
In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details.
Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.
FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals.
Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.
Hackers then use the same shell to upload two never-before-seen malware strains --FIREALARM and SPOTLIGHT, on the same server. The former can parse Click2Gov logs for payment card data, while the latter can detect and extract payment details from HTTP network traffic.
Today's FireEye report is nothing new but a mere confirmation and breakdown of the attackers' methods. There have been numerous media reports that Click2Gov portals have been getting hacked left and right.
Superion itself released a statement in October 2017 about suspicious activity on a number of customer portals, claiming it was investigating the incidents.
In June, Risk Based Security, another cyber-security firm, published a report about breaches at nine US cities, which they say, they tracked to Click2Gov portals.
Superion didn't answer the accusations, but the company did release a Click2Gov patch a day after Risk Based Security's report, on June 15.
After FireEye's report today, Risk Based Security published a second report, with another nine cities that reported Click2Gov security incident.
TechRepublic: Why 31% of data breaches lead to employees getting fired
FireEye didn't release an official list of Click2Gov portals where the company identified the hackers' malware, but according to Risk Based Security, town municipalities appear to be doing their duty and notifying affected users.
As for the hackers, FireEye claims that "while it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign."
The company bases its assessment on the large number of skills and the time it would have been needed to write all the malware and pull off all the hacks, something very difficult for one individual alone.
News of the Click2Gov hacks comes days after a similar incident has been reported affecting the GovPayNow portal.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
If you can't answer these basic questions, your security could be at risk.
Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.
Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.