Five Cybersecurity Threats Affecting Businesses in February 2023
Cybersecurity threats are increasing rapidly. Already in 2023, threat actors and groups have introduced new tactics to target and steal organizations’ sensitive data. As a result, companies need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.
Below are the top five threats that emerged over the past month.
CircleCI is a widely used developer testing and deployment platform that recently suffered a major security incident. In the final days of December, it was discovered that a CircleCI customer’s GitHub OAuth tokens were compromised by an unauthorized third party. An investigation revealed that malware had been deployed to a CircleCI engineer’s laptop. The malware evaded the anti-virus software in place and stole an MFA-backed SSO session via cookie theft. This enabled the attackers to impersonate the engineer and access a subset of production systems. The exact malware or tactics leveraged for this initial access are not currently known.
On December 22, production access tokens were generated to access customer environment variables, tokens, and keys, and encryption keys were extracted from a running process to decrypt all of this data. CircleCI reports that this was the last unauthorized activity in their systems, and on January 4 they took a variety of remediation steps to lock down access and rotate secrets. Although initial disclosures about this incident were extremely vague, we now have a relatively comprehensive list of IOC IP addresses, data centers/VPN providers, malicious files, domains, and GitHub commands associated with the attack. We can use these identifiers to threat hunt in your organization’s environment to determine if you were affected.
NetSupport RAT Disguised as a Pokemon Game
NetSupport Manager is a Windows-centric, cross-platform remote control software that allows remote screen control and systems management from a Windows or Windows Mobile device. The device can control other Windows, Mac, Linux, Solaris, and mobile devices. Default abilities of the software include remote screen control but also system control features, such as screen capture, clipboard sharing, collecting web history information, file management, and command execution.
Threat actors have increasingly abused NetSupport Manager to gain control of assets and distribute them via spam emails or phishing pages disguised as those for other programs. Unlike backdoors and RATs (remote access trojans), which are mostly based on command line interfaces, legitimate remote control or remote admin tools use GUI because it is easy to use.
Recently, a phishing page disguised as page to download a Pokemon card game has been deceiving victims into downloading NetSupport Manager, dubbed “NetSupport RAT” when abused in this manner. Using a disguised icon and version information, it dupes users into thinking the malware is the game. There have been other cases where the malware was distributed through spam emails disguised as invoices, shipment documents, and purchase orders; however, this method is different in that the malware is presented as a game. With the RAT installed, the attacker has near total control over the user’s system and can access the above capabilities or even install more malware. To avoid this type of compromise, users are advised to purchase or download software from official websites and refrain from opening attachments in suspicious emails.
Last November, SentinelOne discovered that the CryptBot information stealer, active since 2019, was again spreading via cracked software. Software cracking is the illicit modification of software to remove, unlock, modify, or deactivate features to obtain full access to all premium features without purchasing a license. Software cracks steal or generate serial numbers, extend full trial durations, or allow repeated use of the same serial number.
Generally, CryptBot uses various keywords to generate malicious websites masquerading as crack download sites. When visitors click the ‘download’ button on these pages, they are routed to the malware distribution page. While the malware’s appearance varies, the download remains a password-protected zipped file. This ZIP contains CryptBot, which is a large binary after extraction. The large size is intended to bypass antivirus software, which frequently fails to scan such large files.
This newer version has had its anti-sandbox routine removed, leaving only the anti-VM CPU core count check. The redundant second C2 connection and second exfiltration folder were both removed, and this variant only features a single info-stealing C2. In its previous run, the malware was able to exfiltrate data from Google Chrome versions 81 to 95. Version 96 was updated in November 2021 to mitigate vulnerabilities and defend against this, but CryptBot recently added the ability to search for user data on all file paths regardless of Chrome version.
Once the virus is installed it steals personal data from web browsers, antivirus software, and crypto wallets. A Twitter search of “#CryptoBot” shows it is the most-seen malware on abuse.ch as of Jan. 18, 2023, with over 500 IoCs submitted.
A burst of malicious activity was observed in the new year as IcedID was distributed via Google pay-per-click ads. By hijacking the keywords in a selected search engine’s results, malicious ads are displayed that lure users to click on them and then download the malware at the destination site. Google’s PPC program allows businesses to display their advertised products to broad audiences browsing Google. Cloned webpages of legitimate companies or applications were the lure of choice for IcedID distributors.
The infection chain begins with the fake installer, then rundll32.exe runs the IcedID loader, retrieves the C2, and executes the IcedID boot before C2 commences. The third stage centers on payload delivery. In the latest campaign the user has to download a .msi file which, while uncommon, is possible to leverage successfully given the context in which the user will find the file: likely on an apparent website for software that the user thinks is legitimate. The targeted applications range from Discord to Brave, Adobe applications, Teamviewer, and Slack.
While phishing emails remain a common attack vector for malware distribution, end users must also exercise extreme care when browsing the internet as malware distribution does not appear only in the classic fake “VIRUS ALERT” flashing banners. A very legitimate-appearing website that the user found on another perfectly legitimate site could in fact harbor dangerous malware. Users must always be vigilant in this environment.
A malware campaign is using Google ads to lure unsuspecting users into downloading malware posing as legitimate software. It is being distributed with a malware as a service (MaaS) model that has recently gained prevalence. The software imitated ranges from Bluestacks to Zoom and AnyDesk. In this particular case, when searching for Notepad++, an ad is returned with a link that leads to a fake download site. This appears legitimate but is hosted on “hasankahrimanoglu[.]com[.]tr.” The downloaded archive file unzips to “Noteppad_SettupX32iX64.exe,” which is the Rhadamanthys Stealer malware.
It can also be delivered via spam emails with PDF attachments claiming to be legitimate financial statements. These lures are relatively convincing as far as phishing emails go, and opening the PDF attachment prompts the user to update Adobe Reader. This download button actually downloads a malicious executable from https[:]\\zolotayavitrina[.]com/Jan-statement[.]exe, which delivers the payload. The malware lifts data such as passwords, browsing history, and email addresses, and targets cryptocurrency wallet credentials and other information. It then packages the data and then sends it back to a C&C center.
To help mitigate the risk presented by this campaign’s delivery system, organizations should manage all software distribution to users. If that is not possible, then leaders should train users to only download software from the application’s official website or legitimate vendors and to avoid pirated software from unofficial sources.