A vulnerable municipality payment software, which previously led to the breach of hundreds of thousands of payment cards in 2017, has been targeted once again. This time it was part of a breach involving of eight cities in August.
The hack targets a flaw in Click2Gov software, which is used in self-service bill-paying portals used by utilities and community development organizations for things such as paying parking tickets online. The flaw was first discovered in December 2018 after continual breaches of it led to the compromise of at least 294,929 payment cards across the country.
Now, cybercriminals appear to be taking aim again at the software. Researchers with Gemini Advisory warned in a new advisory that starting in August 2019, over 20,000 records from eight cities in five different states have been offered for sale online via illicit markets. So far the impacted towns include: Deerfield Beach, Fla., Palm Bay, Fla., Milton, Fla., Coral Springs. Fla., Bakersfield Calif., Pocatello Ida., Broken Arrow, Okla. and Ames, Iowa.
“Analysts confirmed that many of the affected towns were operating patched and up-to-date Click2Gov systems but were affected nonetheless,” according to Gemini Advisory in a Thursday analysis. “Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign.”
Click2Gov is a popular software solution used by local governments for receiving parking tickets or taxes. The software was developed by Superion, which has since merged with other companies to form CentralSquare Technologies, founded in July 2018.
Vulnerability intelligence company Risk Based Security recorded between 600 and 6,000 installations of Click2Gov, providing a vast threat surface.
The previous 2018 attack was rooted in a compromised Click2Gov webserver, said FireEye in a report. An attacker was able to install a web shell, SJavaWebManage, and then upload a tool that allowed them to parse log files, retrieve payment card information and remove all log entries.
Superion’s CEO said (in a since removed, 2018 statement) it has taken mitigating actions and deployed patches. He added, “Superion acknowledged directly to Gemini Advisory that despite broad patch deployment the system remains vulnerable for an unknown reason,” Gemini researchers said in 2018.
Now, in August 2019 hackers are hitting the same target twice, and “the portal remains a viable attack surface,” researchers said. Out of the eight cities impacted by this most recent breach, six already had systems that were previously compromised in the original breach.
“These eight cities were in five states, but cardholders in all 50 states were affected,” researchers said. “Some of these victims resided in different states but remotely transacted with the Click2Gov portal in affected cities, potentially due to past travels or to owning property in those cities.”
Researchers contacted the eight towns, and while most did not respond, those that did confirmed a breach in their Click2Gov utility payment portals. Also, several towns took their Click2Gov portals offline shortly after contact.
Researchers said that organizations must regularly monitor their systems for breaches and keep up to date on patches.
“The second wave of Click2Gov breaches indicates that despite patched systems, the portal remains vulnerable,” they said. “It demonstrates cybercriminals’ willingness to repeatedly target the same victims and underscores that while responsible security habits are constructive, there is no perfectly secure system.”
CentralSquare Technologies did not immediately respond to a request for comment from Threatpost.
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.