Hackers used Scanbox framework to hack Pakistani Govt’s passport application tracking site !!

Hackers used Scanbox framework to hack Pakistani Govt’s passport application tracking site !!

Pakistan automotive giant PakWheels Hacked, 700k accounts stolen

In the recent attack, the Pakistani website tracking.dgip.gov[.]pk was compromised, which is a subdomain of the Directorate General of Immigration. This particular website allows applicants of Pakistani passports to track their applications’ status. The infection was first identified on March 2, 2019.

What is the issue - Researchers from Trustwave detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.

According to Trustwave’s blog post, the malicious Scanbox Javascript code has been loaded from a remote location and can obtain all sorts of information about the visitors’ devices along with recording keystrokes that every visitor makes when visiting the website. Moreover, Trustwave researchers noted that Scanbox also attempts to identify if the visitor has any of the 77 products (including security software, virtualization, and decompression tools) installed on the device. The names of the products are part of its built-in list.  

Scanbox is basically a reconnaissance framework discovered in 2014 and commonly used by APT (Advanced persistent threat) groups. It is the same framework that was used by the Stone Panda APT group in 2017 and in 2018 by LuckyMouse.

Usually, it is used in water hole attacks where a website is infected with the Scanbox Framework to obtain information about the site visitors such as their IP addresses, device OS, plugins, User Agent, and referrer. The information is then used to launch well-organized attacks against some potential targets of importance. The framework is evolving tremendously every passing year as far as the extensiveness of gathered information is concerned.

Surprisingly, the infection stays undetected by a majority of security products. At the moment, Trustwave cannot affirm with surety since when the site was infected with Scanbox but they did confirm that on the day it was identified by their researchers, Scanbox obtained information about 70 different site visitors and login credentials of about one-third of them were also collected.

The company initiated a deeper probe on the site and it was observed on March 7 that the server linked with the framework stopped responding. When the server was active, a VT scan was carried out that revealed low detection rates for the server.

To know about latest happenings in technology industry check out other posts of GadgetsTricks.com
Thanks For Your Time