Attackers used SQL injection and cross-site scripting to target at least 65 job-recruitment and retail websites with legitimate penetration-testing tools, stealing databases containing more than 2 million emails and other personal records of job seekers in just a month's time.
The data included names, phone numbers, and dates of birth, as well as information about job seekers' experience and employment history.
All told, the group - believed to be operating since the beginning of 2023 - stole several databases containing 2,079,027 unique emails and other records in attacks that occurred between last November and December, the researchers found.
While more than 70% of victims were in the Asia-Pacific region, Group-IB also identified compromised companies in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US. Specifically, attackers targeted 26 retail companies and 19 job-seeking sites, as well as a handful of organizations in professional services, delivery, real estate, investment, and other industries.
Cyberattacks Using Pen-Testing Tools ResumeLooters' attack vector is similar to that of another group called GambleForce, which Group-IB discovered targeting APAC region in September.
Like that group, attackers used a variety of publicly available penetration-testing tools to target and inject malicious script into websites.
In the case of ResumeLooters, common tools included Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch.
The team's investigation began with the identification of a malicious server at 139.180.137[.]107, on which they found logs of several penetration-testing tools, including sqlmap, that revealed the attackers were targeting employment websites and retail companies.
The most common initial vector used by ResumeLooters is SQL injection via sqlmap, but in some cases attackers injected XSS scripts into legitimate job-search sites to carry out attacks, the researchers found.
The attack occurs when the injection triggers the execution of a malicious remote script that displays a phishing form to steal visiting job seekers' data.
In one of its XSS attacks, ResumeLooters even created a fake employer profile on a legitimate recruitment website, injecting malicious XSS script into one of the fields in the profile.
Which the researchers believe could be another domain associated with the group, though it was inaccessible at the time the researchers analyzed it.
Evidence also suggested that ResumeLooters attempted to gain shell access on target systems to download and execute additional payloads, and try to find more data, while having full control of the victims' server.
Job Seekers in the Cyber Crosshairs Threat actors often target job seekers through various employment scams, due to the range of information that can be gleaned through communications with them, as well as the opportunity to sway them using social engineering.
Threat groups from North Korea in particular are adept at targeting job seekers worldwide using fake job offers aimed at stealing their personal info and credentials.
Attackers also exploit social media platforms, such as Facebook, to target those seeking employment, especially for remote work.
To do this, Group-IB made several recommendations for organizations to prevent both SQL injection and XSS attacks.
For the former, organizations should use parameterized statements or prepared statements provided by their particular programming language or framework when linking together user input directly into SQL queries.
Implementing a Web application firewall can detect and block SQL injection attempts, providing an additional layer of defense against various Web application attacks.
Another tactic that can help prevent both SQL injection and XSS attacks is to validate and sanitize user inputs on both the client and server sides, ensuring that inputs adhere to expected formats and length constraints, according to Group-IB. To prevent XSS attacks, the researchers suggested, organizations also can escape special characters to ensure that they are treated as literal text and not interpreted as code before rendering user-generated content.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 06 Feb 2024 18:35:31 +0000