Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Attackers compromised Pakistani government website to deliver Scanbox Framework payload

Attackers compromised Pakistani government website to deliver Scanbox Framework payload

  • Researchers detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.
  • Trustwave notified the Pakistani government website about the infection, however, the site still remains compromised.

What is the issue – Researchers from Trustwave detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.

Worth noting – The compromised Pakistani government website (tracking.dgip.gov[.]pk) is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application.

The big picture

  • Once the Scanbox framework is on the visitor’s system, it collects system information and keystroke logs.
  • Scanbox also attempts to detect whether the visitor has installed any of the 77 endpoint products such as security tools, decompression, and virtualization tools.

“Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse,” Trustwave researchers said in a blog.

Why it matters – due to the lack of detection for the compromised website by security products

  • Most of the Antivirus and security products failed to detect this compromised domain, however, Trustwave detected the compromised site on March 2, 2019.
  • On that day alone, Scanbox managed to gather information including credentials on at least 70 unique visitors.
  • The impacted visitors were primarily from Pakistan (80%), while other visitors were located in Saudi Arabia, the United States, China, Qatar, Germany, UK, South Korea, Netherlands, and India.
  • Trustwave notified the Pakistani government website about the infection, however, the site still remains compromised.

The bottom line – The Scanbox server currently appears inactive, however, the infection indicated that it has some level of access to the compromised website.

“The Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers said.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket