Researchers have found criminal hackers employing a new technique to steal data. This server-side data exfiltration technique executes by exploiting the Telegram API. This attack is active in the wild, hence, requires every website owner to remain vigilant.
Telegram API For Data Exfiltration
Security researchers from Sucuri have shared insights of a different data exfiltration strategy active in the wild.
As elaborated in their post, the new technique involves the use of the Telegram API to steal data from websites.
Briefly, the technique relies on code injection, where the code directly transmits the target data from the infected site to the attackers via a private message to their bot.
The researchers caught the malicious code running on the login page (wp-login.php) of a WordPress website. This placement allowed the attackers to steal the users’ credentials directly. In the case of admins, such data theft directly leads to website takeover.
As observed, the attackers initially had commanded the code to store data to a .txt file. Yet, they later modified the code to include data transmission to the Telegram bot.
“The attacker uses file_get_contents to make their remote request to Telegram’s API URL, allowing them to transmit the stolen data without leaving much evidence of the exfiltration on the server. Adding this feature also allows the attacker to access the stolen data in real-time, instead of having to check a text file for any captured information.
While the attack possesses great ability to execute stealthily, still, website owners can prevent such attacks by vigilance. By protecting the websites with a web application firewall and employing all basic security measures, website owners can significantly prevent the attackers from injecting malicious codes into their sites.
Though, these measures do not warrant 100% security since the attackers continue to improvise their attack strategies. Yet, site admins can do their best to prevent all possible cyber threats in the first place. Preventing cyberattacks is always easy (and convenient) than remediating them post-infection.