Attackers used SQL injection and cross-site scripting (XSS) to focus on at the least 65 job-recruitment and retail web sites with respectable penetration-testing instruments, stealing databases containing greater than 2 million emails and different private information of job seekers in only a month’s time.
Dubbed “ResumeLooters” by researchers in Group-IB’s Menace Intelligence Unit — who found the marketing campaign — the group focused primarily victims in India, Taiwan, Thailand, Vietnam, China, and Australia, stealing emails and different information containing private info from folks’s resumes, researchers revealed in a weblog put up on Feb. 6. The info included names, telephone numbers, and dates of start, in addition to details about job seekers’ expertise and employment historical past.
All advised, the group — believed to be working for the reason that starting of 2023 — stole a number of databases containing 2,079,027 distinctive emails and different information in assaults that occurred between final November and December, the researchers discovered. Whereas greater than 70% of victims have been within the Asia-Pacific (APAC) area, Group-IB additionally recognized compromised corporations in different areas, together with Brazil, Italy, Mexico, Russia, Turkey, and the US.
Particularly, attackers focused 26 retail corporations and 19 job-seeking websites, in addition to a handful of organizations in skilled providers, supply, actual property, funding, and different industries. The group then put the stolen information up on the market on Chinese language-speaking Telegram channels.
Cyberattacks Utilizing Pen-Testing Instruments
ResumeLooters’ assault vector is much like that of one other group known as GambleForce, which Group-IB found concentrating on APAC area in September. Like that group, attackers used a wide range of publicly obtainable penetration-testing instruments to focus on and inject malicious script into web sites. Within the case of ResumeLooters, widespread instruments included Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch.
“ResumeLooters is one more instance of how a lot injury may be made with only a handful of publicly obtainable instruments,” senior menace analyst Nikita Rostovcev from Group-IB’s superior persistent menace (APT) analysis workforce wrote within the put up. “Each GambleForce and ResumeLooters make use of very easy assault strategies.”
The workforce’s investigation started with the identification of a malicious server at 139.180.137[.]107, on which they discovered logs of a number of penetration-testing instruments, together with sqlmap, that exposed the attackers have been concentrating on employment web sites and retail corporations.
The commonest preliminary vector utilized by ResumeLooters is SQL injection by way of sqlmap, however in some circumstances attackers injected XSS scripts into respectable job-search websites to hold out assaults, the researchers discovered. The assault happens when the injection triggers the execution of a malicious distant script that shows a phishing kind to steal visiting job seekers’ information.
In one in all its XSS assaults, ResumeLooters even created a pretend employer profile on a respectable recruitment web site, injecting malicious XSS script into one of many fields within the profile. The profile additionally included a hyperlink to admin.cloudnetsafe[.]com, which the researchers imagine might be one other area related to the group, although it was inaccessible on the time the researchers analyzed it.
Proof additionally urged that ResumeLooters tried to realize shell entry heading in the right direction programs to obtain and execute extra payloads, and attempt to discover extra information, whereas having full management of the victims’ server. Nevertheless, it is unclear if these makes an attempt have been profitable, Rostovcev stated.
Group-IB has notified the victims of the businesses focused within the assaults “so they may take all crucial steps to mitigate additional injury,” he added.
Job Seekers within the Cyber Crosshairs
Menace actors usually goal job seekers by means of numerous employment scams, as a result of vary of data that may be gleaned by means of communications with them, in addition to the chance to sway them utilizing social engineering.
Certainly, menace teams from North Korea specifically are adept at concentrating on job seekers worldwide utilizing pretend job gives geared toward stealing their private information and credentials. Attackers additionally exploit social media platforms, equivalent to Fb, to focus on these looking for employment, particularly for distant work.
Assaults like those by ResumeLooters and GambleForce are “simply avoidable,” but firm web sites may be compromised because of “poor safety in addition to insufficient database and web site administration practices,” Rostovcev famous.
The marketing campaign is a reminder to organizations that they have to prioritize cybersecurity and keep vigilant towards evolving threats, he stated. To do that, Group-IB made a number of suggestions for organizations to stop each SQL injection and XSS assaults.
For the previous, organizations ought to use parameterized statements or ready statements offered by their explicit programming language or framework when linking collectively consumer enter instantly into SQL queries. “This helps to separate consumer enter from SQL code,” Rostovcev wrote.
Implementing a Net utility firewall can detect and block SQL injection makes an attempt, offering an extra layer of protection towards numerous Net utility assaults. One other tactic that may assist forestall each SQL injection and XSS assaults is to validate and sanitize consumer inputs on each the consumer and server sides, guaranteeing that inputs adhere to anticipated codecs and size constraints, in line with Group-IB.
To stop XSS assaults, the researchers urged, organizations can also escape particular characters to make sure that they’re handled as literal textual content and never interpreted as code earlier than rendering user-generated content material.
