[BreachExchange] Patched Click2Gov Flaw Still Afflicting Local Govs

Destry Winant destry at riskbasedsecurity.com
Thu Dec 20 23:04:36 EST 2018


https://threatpost.com/patched-click2gov-flaw-still-afflicting-local-govs/140109/

Local governments aren’t updating the vulnerable systems.

A vulnerability in a popular municipality payment software, Click2Gov,
has left hundreds of thousands of civilian payment cards compromised –
and the hacks are ongoing, a new report found.

Continual breaches of the vulnerable software have led to the
compromise of at least 294,929 payment cards across the country –
earning the criminals behind the breach at least $1.7 million, Gemini
Advisory said on Tuesday.

Making matters worse, the software was patched in 2017 – yet the
breaches are still continuing, in part due to municipalities that have
not updated, Stas Alforov, director of research and development at
Gemini Advisory, told Threatpost.

“Many municipalities are not doing their job of patching the systems
or keeping regular, system administrator tasks,” he said.

Click2Gov is a popular software solution used by local governments for
receiving parking tickets or taxes. The software was developed by
Superion, which has since merged with other companies to form a new
company called CentralSquare Technologies in July 2018. According to
Risk Based Security, there appears to be between 600 to 6,000
installations of Click2Gov indexed.

CentralSquare Technologies did not return a request for comment.

The breach stems back to 2017, when Superion first released a
statement confirming that malicious activity was detected on
customers’ computer networks.

Essentially, the attack was rooted in a compromised Click2Gov
webserver, said FireEye in a report. An attacker was able to install a
web shell, SJavaWebManage, and then upload a tool that allowed them to
parse log files, retrieve payment card information and remove all log
entries.

In a June 2018 statement on the matter, Superion said it has deployed
the necessary patch to its software. It added it assisted customers in
the application of patches related to a “third-party component.”

“At this time, we have no evidence showing that it is unsafe to make
payments utilizing Click2Gov on hosted or secure on-premise networks
with recommended patches and configuration,” the company said.
“Superion does not control our customers’ networks, so we recommend
citizens contact their municipality or county if they have any
questions related to security.”

However, despite this patch, “Superion acknowledged directly to Gemini
Advisory that despite broad patch deployment the system remains
vulnerable for an unknown reason,” researchers said.

That could be because local governments have not updated their
systems– leading them to become compromised. Another option is that
hackers have uncovered another undetected vulnerability in the
software, which has yet to be patched, Alforov told Threatpost.

Regardless, just in the past 30 days, researchers identified over
12,283 compromised payment cards associated with the Click2Gov breach.
Researchers were able to track these cards as they were uploaded for
sale on the Dark Web (with an average price of $10 per card).

Overall, there were 46 confirmed impacted local governments –
including  Saint Petersburg, Florida (on October 2) Bakersfield,
California (November 14), and Ames, Iowa (December 2). The most
Click2Gov-related breach was of Pompano Beach, FL (yet to be disclosed
publicly), researchers said.

Alforov said that impacted municipalities should reach out to
CentralSquare for assistance:

“Users who are directed to pay through the Click2Gov system [should]
identify alternative means of making payments until the system threat
has been eliminated,” according to Gemini Advisory’s post. “Moreover,
all local municipalities that utilize the Click2Gov software should
confirm that the software is up-to-date and fully patched, and contact
CentralSquare immediately if assistance is needed. Gemini Advisory is
monitoring the development of the Click2Gov incident closely, and in
the case that new victims are identified, all clients will be notified
accordingly.”


More information about the BreachExchange mailing list