GoDaddy gets breached in a multi-year campaign

SISA Weekly Threat Watch - 06 March 2023

Security researchers have noticed that hackers are constantly improving their malware and taking advantage of new and old unpatched vulnerabilities across a range of platforms. Organizations often struggle to identify these upgraded malware and infiltration methods. Researchers have noted indications of numerous ongoing evasive threat campaigns that have been affecting servers and systems globally over the past week.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. PureCrypter targets government entities through Discord

An unknown threat actor has been leveraging an evasive threat campaign which is spread via Discord featuring the PureCrypter downloader and targeting government entities. An email with Discord app URL pointing to PureCrypter sample in a password-protected ZIP file is sent to the victim. On execution, it delivers the next-stage payload from a command-and-control server, which is the compromised server of a non-profit organization in this case. According to the researchers, the observed PureCrypter campaign targeted multiple government organizations in the Asia-Pacific (APAC) and North America regions.

The campaign was found to have delivered several types of malwares including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. The sample analyzed was AgentTesla, which when launched establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data. The threat actors used leaked credentials to take control of the particular FTP server. It is recommended to avoid clicking on links or attachments from untrusted email sources. Additionally, employ tools that have behavior-based detection capabilities which detect process injection based on common sequences of behavior that occur during the injection process.

2. GoDaddy: Hackers steal source code, install malware in multi-year breach

GoDaddy, a major provider of web hosting services, reported that a multi-year attack on its cPanel shared hosting environment culminated in a breach where unknown attackers took source code and put malware on its servers. It is possible to hack a company’s web servers without directly changing the server’s content by gaining access to their web redirection settings. The data on the server itself is kept intact by subtly diverting client requests to content set up elsewhere.

According to the company, this multi-year campaign is also connected to earlier breaches that were revealed in November 2021 and March 2020. After the incident in March 2020, GoDaddy informed 28,000 customers that an attacker had exploited their web hosting account credentials to connect to their hosting account through SSH in October 2019. They seem to want to infect websites and servers with malware to carry out phishing schemes, malware distribution, and other criminal actions. To secure the website, it is recommended to ensure SSL certification, strong passwords with multi-factor authentication (MFA), daily security scans, offsite backups, and restricted subdirectory access.

3. Microsoft urges Exchange admins to remove some antivirus exclusions

Microsoft has suggested some previously recommended antivirus exclusions for Exchange servers to boost the servers’ security. As highlighted by Microsoft, keeping these exclusions may prevent detections of Internet Information Services (IIS) webshells and backdoor modules, which represent the most common security issues. As validated, removing these processes and folders does not affect performance or stability when using Microsoft Defender on Exchange Server 2019, running the latest Exchange Server updates.

This comes after threat actors have been using malicious IIS web server extensions and modules to backdoor unpatched Microsoft Exchange servers worldwide. It is recommended to always run the Exchange Server Health Checker script after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change.

4. Hackers use trojanized macOS apps to deploy evasive cryptocurrency mining malware

Evasive cryptocurrency mining malware is being distributed on macOS systems, through trojanized copies of trustworthy applications. This malware uses the Invisible Internet Project (i2p) to download malicious components and deliver mined bitcoin to the attacker’s wallet. An earlier variant of the malware used i2p to mask network activity and hypothesised that it may have been distributed as a DMG file for Adobe Photoshop CC 2019.

The distribution method has been a highly effective one for many years due to the malware’s ability to slip by security measures and the fact that users running cracked software are actively participating in illegal activity. Apple, however, has taken measures to fight such misuse by requiring more thorough Gatekeeper checks for notarized programmes in macOS Sierra, prohibiting altered apps from being launched. All macOS users are highly recommended to not download or use pirated apps that claim to be authentic apps at a highly discounted rate.

5. PlugX RAT masquerades as legit Windows debugger to slip past security

Cybercriminals are impersonating the PlugX remote access trojan as a legitimate open-source Windows debugging tool (x64dbg) to evade detection and compromise systems. PlugX or Korplug is a post-exploitation modular implant, which allows an attacker to obtain unauthorized access to a system, steal sensitive data, and use the compromised machine for malicious purposes. The malware employs a technique called DLL side-loading to load a malicious DLL from a digitally signed software application.

x32dbg.exe’s valid digital signature can confuse some security tools, enabling adversaries to stay under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions. x32dbg.exe was used to deploy a backdoor, a UDP shell client that collects system information and awaits additional instructions from a remote server. It is advised to allow or whitelist only known and trusted applications to run on the system while blocking any suspicious or unknown ones. Monitor and control the execution of applications and their dependencies, including DLLs, to detect and prevent malicious activities.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider