IBM X-Force Incident Response and Intelligence Services (IRIS) experts observed that one of the Magecart groups, tracked as MG5, is using malware to inject into commercial-grade L7 routers.
The experts speculate the attackers have prepared code for injection into a specific type of commercial-class L7 router, they
L7 routers implement both routing and switching capabilities, an attacker that compromises the network devices could potentially perform several malicious activities, such as traffic hijacking.
The router can be installed in the same virtualization server as other business-critical IT infrastructure components, this means that once compromised could be used by hackers for lateral movements.
The Wi-Fi connectivity is usually offered for free in locations such as hotels that prefer to outsource the Wi-Fi service, but most vendors for Wi-Fi service do not support
“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data.”continues IBM. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”
Attackers can compromise L7 routers to steal guest payment data from the users the browse websites through the compromised network device, they can also inject malicious ads into
IBM experts also believe that the Magecart hackers have
“Another finding from X-Force IRIS with regards to code being tested by Magecart Group 5 concerns open-source mobile app code that’s offered to app developers for free. The code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects.” concludes the report.
“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the
The report also includes mitigation tips to prevent access to data.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – APT, hacking)