With front-end attacks increasing, understanding the client-side kill chain and an attack defense to improve JavaScript security.
In my decade working in the cybersecurity industry, I’ve developed quite a few fond memories learning from talented security professionals. In 2015, I found myself working with Andy Pendergast at ThreatConnect. (As a little background, Andy is one of the fine folks who developed the Diamond Model for Intrusion Analysis. He is considered to be a veritable cybersecurity encyclopedia among his peers.) At the time, I was new to cyber threat intelligence (CTI). Andy took me under his wing to teach me CTI. One of the first things he taught me was the value of applying a cyber defense framework, such as Lockheed Martin’s Cyber Kill Chain, to the threat detection and mitigation process.
Client-Side Kill Chain based on the Lockheed Martin Cyber Kill Chain
Client-side attacks are on the rise. Because the majority of client-side attacks use JavaScript, present on 99% of websites, the threat to business is growing exponentially. Since client-side attacks like Magecart, cross-site scripting, and formjacking are becoming more and more prevalent, I’d like to walk you through an example of how to use the Lockheed Martin Cyber Kill Chain to map out and defend against a JavaScript skimming attack.
The 7 Stages of the Client-Side Kill Chain
1. Reconnaissance
During the reconnaissance stage, threat actors research e-commerce websites to identify vulnerable first- and third-party scripts that comprise the coding. From their research, they locate a number of websites that use a specific open-source, third-party JavaScript on payment pages. The threat actors determine that they can build or buy a specific JavaScript malware that can skim customer information from the page at the point of purchase.
2. Weaponization
As part of the weaponization phase, the threat actors purchase Magecart-like malware on the dark web. The malware kit costs $1,000 and has a proven track record of working with similar third-party scripts. After acquiring the malware, they find the correct open-source script on GitHub to corrupt.
3. Delivery
During the delivery process, the threat actors corrupting the open-source, third-party JavaScript code in the GitHub library. Now every website that uses this third-party script is part of a drive-by web skimming attack. Essentially, the web application owner is unintentionally delivering the skimming malware via the infected GitHub JavaScript code.
4. Exploitation
With a severe vulnerability introduced into the web applications of multiple e-commerce businesses, the threat actors can begin their data heist. Because this malicious JavaScript code resides on the client side, server-side security technologies are unable to find the malware. Now, the threat actors sit back and wait for the target web pages to refresh, so that exploitation (data skimming) can begin.
5. Installation
As soon as the refresh happens, the malicious JavaScript code loads in the user’s browser. Since the user’s browser is outside of the security teams’ oversight, the JavaScript malware is now able to receive instructions from the threat actors’ command and control (C2) server.
6. Command and control
During the command and control phase, the threat actors instruct the C2 server to start collecting data. The threat actors also monitor all web applications infected by their third-party JavaScript code and adjust the malware to provide as much value as possible.
7. Action on objectives
In the action-on-objectives phase, its time for the threat actors to accomplish their goals. Unfortunately, the threat actors’ JavaScript malware campaign goes unnoticed for three months. The third-party script they targeted only gets updated quarterly, so they have plenty of time to collect credit card information. Over the span of three months, the threat actors accumulate 2000 credit card records. They decide to sell them on the dark web for $200 each, netting them a profit of $399,000.
Work with an Expert in Client-Side Security
In 2019, I went through the Certified Ethical Hacker training program while working at Accenture Security. While I am not qualified to be a pentester or cybersecurity analyst, I did learn one very important thing. It is important to understand how cybercriminals, hackers, or other threat actors think and operate. Not every client-side attack follows the Cyber Kill Chain model as closely as outlined above. Having a rough understanding of how threat actors execute client-side attacks can be very helpful.
To learn more about client-side security and to better protect your customers from threats like the one described above, take some time to explore the Feroot security tools Inspector and Pageguard. If you would like to see our products in action, request a demo.
