Weekly Threat Briefing: Russian APT Comes Back to Life with New US Spear-phishing Campaign

<div id="weekly">The intelligence in this weekís iteration discuss the following threats: APT29, Cryptominers, Data breaches, MageCart, Malware, Misconfigured Docker, Phishing, Remote access trojans, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.tripwire.com/state-of-security/security-awareness/fraudsters-targeting-uk-university-students-with-fake-tax-refund-emails/" target="_blank">Fraudsters Targeting UK University Students with Fake Tax Refund Emails </a> (November 19, 2018) UK university students have been targeted by threat actors pretending to be from Her Majesty's Revenue and Customs (HMRC) to steal money from the students in October and November 2018. The threat actors sent emails to thousands of students from email accounts that appear to be legitimate university or governmental correspondence purporting to be informing them of a tax refund. The email contained a URL link to a site that supposedly would confirm their banking and personal details so they could receive the refund but actually stole their credentials instead. It is unclear how many students, if any, fell for the scam or the potential money lost. The universities targeted include: Aberdeen, Bristol, Cambridge, Durham, Imperial College London, King's College London, Manchester Metropolitan, Newcastle, Nottingham, Plymouth, Queen Mary in London, Queen's University in Belfast, Southampton, Sussex, University College London, and Warwick. <a href="https://forum.anomali.com/t/fraudsters-targeting-uk-university-students-with-fake-tax-refund-emails/3214" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/fraudsters-targeting-uk-university-students-with-fake-tax-refund-emails/3214" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/fraudsters-targeting-uk-university-students-with-fake-tax-refund-emails/3214" target="_blank"> recommendation</a><a href="https://www.zdnet.com/article/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/" target="_blank">Russian APT Comes Back to Life with New US Spear-phishing Campaign </a> (November 16, 2018) Researchers from CrowdStrike have discovered a recent spear phishing campaign conducted by Russian Advanced Persistent Threat (APT) group APT29 (also known as CozyBear, PowerDuke, and The Dukes) that was targeting US government institutions and private organisations. The campaign is believed to have begun on November 14, 2018, with spear phishing emails pretending to be from an official within the US State Department and contained links to legitimate, but compromised websites. The campaign is a surprise to researchers because APT29 has been quiet for over a year, following attacks on members of the Norwegian and Dutch governments in 2017. The APT group is infamous for their hack of the Democratic National Committee (DNC) right before the 2016 US presidential election. <a href="https://forum.anomali.com/t/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/3215" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/3215" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/3215" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a><a href="https://www.bleepingcomputer.com/news/security/misconfigured-docker-services-actively-exploited-in-cryptojacking-operation/" target="_blank">Misconfigured Docker Services Actively Exploited in Cryptojacking Operation </a> (November 15, 2018) Misconfigured Docker services has been observed to allow potential threat actors unauthorised access to Docker containers who then install their own Monero cryptocurrency miners, researchers at Juniper Networks observed. The default TCP port 2375 and 2376 for accessing Docker service remotely via REST management APIs allow for unencrypted and unauthenticated communication. The Monero miners are able to spread automatically through scripts and utilities already on the target machine, also known as "living off the land." Threat actors have been observed utilising "MoneroOcean" mining script that is publicly available on GitHub. <a href="https://forum.anomali.com/t/misconfigured-docker-services-actively-exploited-in-cryptojacking-operation/3216" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/misconfigured-docker-services-actively-exploited-in-cryptojacking-operation/3216" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/misconfigured-docker-services-actively-exploited-in-cryptojacking-operation/3216" target="_blank"> recommendation</a><a href="https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" target="_blank">tRat: New Modular RAT Appears in Multiple Email Campaigns </a> (November 15, 2018) A phishing email campaign conducted by threat group "TA505" has been discovered that used several different lures to deliver malicious Word documents to targets, according to Proofpoint researchers. The first email campaign was observed on September 27, 2018 and pretended to be documents from cyber security company, Norton by Symantec. The email suggested that the company was securely sharing files with the user, and the image and document requested macros to be enabled. If macros were enabled, the malware dubbed "tRAT" was installed onto the machine. A related email campaign that appeared to have been on September 29, 2018, pretended to be from TripAdvisor and attempted to load a video, that if the loading circle was clicked upon, it would install the tRAT malware. On October 11, 2018, researchers then observed TA505 conducting an email campaign that utilised both Microsoft Word and Publisher documents to phish commercial banking institutions and install tRAT onto their machines. The emails pertained to "invoice" documents and required macros to be enabled to view the document. <a href="https://forum.anomali.com/t/trat-new-modular-rat-appears-in-multiple-email-campaigns/3217" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/trat-new-modular-rat-appears-in-multiple-email-campaigns/3217" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/trat-new-modular-rat-appears-in-multiple-email-campaigns/3217" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port (T1043)</a><a href="https://www.netformation.com/our-pov/mylobot-continues-global-infections/" target="_blank">Mylobot Continues Global Infections</a> (November 14, 2018) The sophisticated botnet called "Mylobot" has been actively infecting machines and downloading the information-stealing malware, "Khalesi," CenturyLink Threat researchers noticed. Mylobot queries various domains that appear to be hardcoded into the malware, and specifically generates random addresses that end with the specific Top-Level Domains (TLDs) ".ru" ".net" and ".com". The botnet will attempt to resolve 43 subdomains, and if it resolves to an IP, it will try to connect to the IP via the port that was hardcoded with that domain. If it successfully obtains access, the Mylobot will query the Command and Control (C2) server to get the downloader for the Khalesi malware. The Mylobot is extremely advance as it will remain dormant in a system for fourteen days before contacting the C2 to wait out sandbox environments and avoid detection. It also contains sophisticated anti-virtual machine and other anti-sandboxing techniques. <a href="https://forum.anomali.com/t/mylobot-continues-global-infections/3218" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/mylobot-continues-global-infections/3218" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/mylobot-continues-global-infections/3218" target="_blank"> recommendation</a><a href="https://www.zdnet.com/article/card-skimming-malware-removed-from-infowars-online-store/" target="_blank">Card Skimming Malware Removed from Infowars Online Store </a> (November 14, 2018) Independent security researcher, Willem de Groot, discovered MageCart payment skimming malware on Infowars' website. The researcher's vulnerability and infection scanner detected an infection on the site on November 12, 2018, and was active for approximately 24 hours before Infowars became aware of it. The company stated that fewer than 1,600 customers were impacted and because many were re-orders, their card details would not be compromised. <a href="https://forum.anomali.com/t/card-skimming-malware-removed-from-infowars-online-store/3219" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/card-skimming-malware-removed-from-infowars-online-store/3219" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/card-skimming-malware-removed-from-infowars-online-store/3219" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://blog.eset.ie/2018/11/14/attackers-exploit-flaw-in-gdpr-themed-wordpress-plugin-to-hijack-websites/" target="_blank">Attackers Exploit Flaw in GDPR-themed WordPress Plugin to Hijack Websites </a> (November 14, 2018) Threat actors have been observed exploiting a privilege escalation vulnerability in the European Union's General Data Protection Regulation (GDPR) compliance plugin for WordPress, according to the company Defiant. The vulnerability allowed for threat actors to commandeer websites for their own malicious purposes in one of two different ways. The first method to leverage this vulnerability is accomplished by threat actors abusing the user registration system on a susceptible website to create a new administrative account. The threat actor could then obfuscate this by reversing the changes in the settings that granted them initial access and disable user registration. This method also prevents another threat actor coming in through the same vulnerability. The threat actor then has unlimited access into the website and can install backdoors. The second method that is more covert is threat actors could leverage the vulnerability to adjust WordPress' task scheduler to schedule malicious tasks that would establish persistent backdoors. This vulnerability appears to have been leveraged by various threat actors for three weeks before being discovered and patched on November 7, 2018. <a href="https://forum.anomali.com/t/attackers-exploit-flaw-in-gdpr-themed-wordpress-plugin-to-hijack-websites/3220" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/attackers-exploit-flaw-in-gdpr-themed-wordpress-plugin-to-hijack-websites/3220" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/attackers-exploit-flaw-in-gdpr-themed-wordpress-plugin-to-hijack-websites/3220" target="_blank"> recommendation</a><a href="https://blog.ensilo.com/darkgate-malware" target="_blank">Enter the DarkGate: New Cryptocurrency Mining and Ransomware Campaign </a> (November 13, 2018) enSilo researcher, Adi Zeligson discovered a new, highly sophisticated malware campaign that has been dubbed "DarkGate." The campaign has been seen targeting Windows users in Spain and France that is spread through torrent files, and is capable of installing cryptominers, steal cryptocurrency credentials, drop ransomware, and remotely control the infected machine. The initial attack vector is one of two methods: Torrent files pretending to be a popular movie and television series that executes VBscript and phishing emails with a malicious attachment that pretends to be a failed delivery attempt. The malware is extremely advanced as it utilises several detection evasion techniques such as process hollowing, leverages a Command and Control (C2) infrastructure that is hidden in legitimate Domain Name Service (DNS) records from legitimate services, can evade antivirus software and elimination of critical files by known recovery tools, as well as it can use two distinct User Account Control (UAC) bypass techniques to escalate privileges. It is unclear at the time of this article's publication who is behind this campaign. <a href="https://forum.anomali.com/t/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign/3221" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign/3221" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign/3221" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information (T1027)</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&CK] Registry Run Keys / Start Folder (T1060)</a> | <a href="https://ui.threatstream.com/ttp/947102">[MITRE ATT&CK] Process Hollowing (T1093)</a> | <a href="https://ui.threatstream.com/ttp/947258">[MITRE ATT&CK] Bypass User Account Control (T1088)</a><a href="https://threatpost.com/adobe-fixes-acrobat-and-reader-flaw-with-publicly-available-poc/139050/" target="_blank">Adobe Fixes Acrobat and Reader Flaw with Publicly-Available PoC </a> (November 13, 2018) Adobe released patches for three "important-ranked" severity vulnerabilities, including one vulnerability in Adobe Acrobat and Reader that exposed hashed passwords, registered as "CVE-2018-15979." This vulnerability could lead to a user's hashed NTLM password being accessible to unauthorised users. This could allow threat actors to redirect a user to a malicious resource outside an organisation in order to obains the NTLM authentication messages, and a Proof-of-Concept (PoC) code has been observed to be publicly accessible which means it is likely to be seen in the wild. The other two vulnerabilities patched are registered as "CVE-2018-15978" and "CVE-2018-15980" but have not been observed in the wild. CVE-2018-15978 is a vulnerability in Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 that could lead to inadvertent information disclosure. CVE-2018-15980 is a vulnerability in Photoshop CC 19.1.6. All have been patched. <a href="https://forum.anomali.com/t/adobe-fixes-acrobat-and-reader-flaw-with-publicly-available-poc/3222" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/adobe-fixes-acrobat-and-reader-flaw-with-publicly-available-poc/3222" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/adobe-fixes-acrobat-and-reader-flaw-with-publicly-available-poc/3222" target="_blank"> recommendation</a><a href="https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/" target="_blank">Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques</a> (November 13, 2018) Researchers from Recorded Future observed a UK-based engineering company and a Cambodian freelance journalist were targeted in a spear phishing campaign conducted in July 2018 by Advanced Persistent Threat (APT) group, TEMP.Periscope. Recorded Future suspects that TEMP.Periscope reused publicly disclosed Tactics, Techniques, and Procedures (TTPs) from Russian APT groups Dragonfly and APT28 to target the engineering company in an effort to obtain sensitive and proprietary technology and data. The spear phishing email was sent via Foxmail, an email client developed by a large internet service company in China. The email directed towards journalists in Cambodia pretended to be from an Australian reporter who writes about Cambodian civil and social issues that requested the recipient to follow two links attached in the email. One of the links generated a Server Message Block (SMB) session to steal credentials to gain persistence, and the other link created an outbound SMB connection with the APT's Command and Control (C2) server. The content in the email targeting the unnamed UK engineering company was not discussed. <a href="https://forum.anomali.com/t/chinese-threat-actor-temp-periscope-targets-uk-based-engineering-company-using-russian-apt-techniques/3223" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/chinese-threat-actor-temp-periscope-targets-uk-based-engineering-company-using-russian-apt-techniques/3223" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/chinese-threat-actor-temp-periscope-targets-uk-based-engineering-company-using-russian-apt-techniques/3223" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947238">[MITRE ATT&CK] Forced Authentication (T1187)</a><a href="https://www.bleepingcomputer.com/news/security/microsoft-november-2018-patch-tuesday-fixes-12-critical-vulnerabilities/" target="_blank">Microsoft November 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities </a> (November 13, 2018) Microsoft released their latest release of security patches for November's "Patch Tuesday" that address 64 different vulnerabilities, 12 of which were classified as "critical" level with the rest all ranked as "important." A rating of "critical" means that the vulnerability is deemed most dangerous as exploitation of the vulnerability by a threat actor could allow for remote command execution and take control of a system. Eight of the 12 critical vulnerabilities were related to the Chakra Scripting Engine. <a href="https://forum.anomali.com/t/microsoft-november-2018-patch-tuesday-fixes-12-critical-vulnerabilities/3224" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/microsoft-november-2018-patch-tuesday-fixes-12-critical-vulnerabilities/3224" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/microsoft-november-2018-patch-tuesday-fixes-12-critical-vulnerabilities/3224" target="_blank"> recommendation</a><a href="https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/" target="_blank">That Domain You Forgot to Renew? Yeah, it's Now Stealing Credit Cards </a> (November 13, 2018) In a collaborative report published by Flashpoint and RiskIQ, the two companies discussed the growing trend of threat actors buying domains that have had their legitimate registration expired. Researchers observed that threat actors will find domains that were used in the past for various things, often small businesses and personal blogs, but eventually were not renewed by the original users. The threat actors will then purchase those pre-existing domains that the owners let expire. They will make the domains appear as real e-Commerce sites to drive traffic towards it, offering products at prices that are heavily discounted. The checkout page for these then contain payment skimmers so the threat actors can steal payment information from the unsuspecting users. <a href="https://forum.anomali.com/t/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/3225" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/3225" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/3225" target="_blank"> recommendation</a><a href="https://www.theregister.co.uk/2018/11/12/pakistan_military_virus/" target="_blank">Scare Force: Pakistan Military Hit by Operation Shaheen Malware </a> (November 12, 2018) The Pakistan Air Force, Pakistani government, and Chinese Military advisors in Pakistan have been targeted in a recent suspected state-sponsored campaign dubbed "Operation Shaheen," according to researchers at Cylance. The threat actors behind the campaign have been called "White Company" and are suspected to have been utilising phishing emails containing links to compromised websites or malicious Word attachments in an effort to implant Remote Access Trojans (RAT) into Air Force members machines. The RATs install keyloggers and connect to the threat actor's Command and Control (C2). The phishing emails contain military-related lures to give the target a sense of authenticity and urgency, which increases the likelihood that the email is opened. The malware, once it is installed, layers the payloads within multiple packing layers to evade antivirus detection by Avast, AVG, Avira, BitDefender, ESET, Kaspersky, Quickheal, and Sophos. It is still unclear to researchers as to whom might be behind behind the attack since Pakistan is a hotbed of geopolitical interests by a variety of countries. <a href="https://forum.anomali.com/t/scare-force-pakistan-military-hit-by-operation-shaheen-malware/3226" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/scare-force-pakistan-military-hit-by-operation-shaheen-malware/3226" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/scare-force-pakistan-military-hit-by-operation-shaheen-malware/3226" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/" target="_blank">WebCobra Malware Uses Victims' Computers to Mine Cryptocurrency </a> (November 12, 2018) Researchers from McAfee Labs uncovered a new Russian malware dubbed "WebCobra" that has been exploiting targets' computing power to mine for cryptocurrency. This malware is observed to have infected Brazil, South Africa, and the US mostly. WebCobra drops either a "Cryptonight" or "Claymore's Zcash" miner, depending on the architecture of the machine in infects. Researchers suspect that the malware's initial attack vector is likely through users downloading software or applications that actually are Potentially Unwanted Program (PUP) installers that drop cryptominers, in this instance. The main installer checks the running environment of the targeted machine. If the system is a x86-32 bit, it will install Cryptonight mining code. On x86-64 bit systems, it will download and install a Zcash miner from a remote server. During the malware installation process, the "data.bin" file will be decrypted and executed which attempts several anti-emulation, anti-debugging, and anti-sandbox techniques as well as checking for antivirus software to evade detection. WebCobra loads "ntdll.dll" and " user32.dll" into the memory of the machine and unhooks APIs that many security monitoring products will have to detect malware behaviour. <a href="https://forum.anomali.com/t/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/3227" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/3227" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/3227" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947140">[MITRE ATT&CK] Multilayer Encryption (T1079)</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation (T1001)</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&CK] File Deletion (T1107)</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&CK] Data Encrypted (T1022)</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection (T1055)</a> | <a href="https://ui.threatstream.com/ttp/947285">[MITRE ATT&CK] System Time Discovery (T1124)</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&CK] Process Discovery (T1057)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&CK] Query Registry (T1012)</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery (T1083)</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&CK] Data from Local System (T1005)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&CK] Hooking (T1179)</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&CK] Command-Line Interface (T1059)</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041)</a><a href="https://www.bankinfosecurity.com/update-healthcaregov-breach-exposed-extensive-data-a-11698" target="_blank">Breach of Obamacare Site Spilled Sensitive Data </a> (November 12, 2018) The United States Centers for Medicare and Medicaid Systems (CMS) released a statement following a data breach in October 2018 of the Obamacare website that stated that the data exposed in said breach includes: address, date of birth, employer name, expected income, family relationships, gender, and name. More detailed information regarding the individual's immigration document types and numbers, immigration status, information provided by other federal agencies and data sources to confirm the information provided on the application, results of the application, including whether the applicant was eligible to enrol in a qualified health plan, and if eligible, the tax credit amount, tax filing status, the last four digits of the Social Security Number (SSN), the name of the insurance plan, the premium and dates of coverage, whether the applicant already had health insurance, and whether the applicant was pregnant was also exposed. Bank information and full SSNs were not breached. The CMS did not announce how the data breach occurred. <a href="https://forum.anomali.com/t/breach-of-obamacare-site-spilled-sensitive-data/3228" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/breach-of-obamacare-site-spilled-sensitive-data/3228" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/breach-of-obamacare-site-spilled-sensitive-data/3228" target="_blank"> recommendation</a><a href="https://gwillem.gitlab.io/2018/11/12/merchants-struggle-with-magecart-reinfections/" target="_blank">Merchants Struggle with MageCart Reinfections </a> (November 12, 2018) Threat group MageCart has been observed by security researcher, Willem de Groot, to be infecting and reinfecting a variety of eCommerce sites at a high rate. He noted that one in five stores that were infected with MageCart payment skimming scripts suffered multiple incidents of being infected, removing the malicious script, and then getting reinfected, some up to 18 times. MageCart has refined their tactics and techniques in the past few months, and are not only injection payment skimmers onto websites, but they have also begun to inject backdoors and rogue administrative accounts on the sites, utilise reinfection mechanisms like hidden scheduled tasks and database triggers, obfuscate their malicious skimming code to appear legitimate, and exploit zero-day vulnerabilities. De Groot found that the average skimming infection lasts almost 13 days with reinfection occurring within 10.5 days. <a href="https://forum.anomali.com/t/merchants-struggle-with-magecart-reinfections/3229" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&CK] Data Obfuscation (T1001)</a></div></div>