Cyware Daily Threat Intelligence, December 05, 2019

Share Blog post

Since returning to operation in September, Emotet trojan has emerged again as a deadly threat in the cybersecurity world. In a new finding, researchers have highlighted that the operators of the prolific trojan are actively exploiting vulnerable servers of SMEs across APAC to distribute different variants of Emotet. An important aspect of the ongoing campaign is that the threat actors are using compromised domains to host and deliver Emotet executables.

Digging further on vulnerabilities, threat actors have also been spotted abusing a two-year-old Security Feature Bypass vulnerability in Microsoft Outlook to execute malicious code on infected systems. Users are urged to apply the recommended security update to avoid falling prey to attacks.

Multiple payment card skimming attacks were also observed in the past 24 hours. The affected companies include the UK activewear retailer Sweaty Betty and four Heroku-based online retail shops.

Top Breaches Reported in the Last 24 Hours

BAT’s website compromised
A Romanian web platform owned by a tobacco company British American Tobacco (BAT) has suffered a ransomware attack. The incident came to light after a ransom note was found on an unsecured Elasticsearch server located in Ireland. The database contained close to 325 GB of sensitive data. The attackers had gained access to the data and left a readme file for ransom request. The compromised data includes personally identifiable information of users.

Magecart skimmer attack
A Magecart skimmer attack on the UK activewear retailer Sweaty Betty resulted in the compromise of customers’ payment information. Threat actors had injected malicious code in checkout and other similar pages that asked for payment information. The stolen payment information included customers’ names, Sweaty Betty passwords, billing addresses, delivery addresses, and more.

CyrusOne attacked
The biggest data center provider in the US, CyrusOne, has been hit by Sodinokibi ransomware. The infection took place on December 4, 2019, when a variant of the ransomware infected the systems of the company. CyrusOne has since informed its customers about the attack.

Another card skimmer attack
Four online retail shops that use the Heroku cloud platform have been compromised using payment card skimmers. The hackers behind the scheme not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit card data.

Top Malware Reported in the Last 24 Hours

Emotet campaign
New research has revealed that a large number of vulnerable servers of small and mid-size enterprises across APAC are now being exploited by Emotet actors to distribute Emotet variants. The modus operandi of the campaign includes the use of compromised domains to host and distribute Emotet delivery documents and executables.

Great Cannon DDoS tool
The Great Cannon Distributed Denial of Service (DDoS) tool was deployed to launch attacks against the LIHKG social media platform used by Hong Kong protestors. The purpose of the tool was to hijack traffic and arbitrarily replace unencrypted content as a man-in-the-middle.

New Buer malware downloader
A new modular loader called Buer is being actively sold in prominent underground marketplaces. Researchers have uncovered that the malware has been used in several attack campaigns that involve phishing emails and malvertisement. The malware dropped by Buer includes DreamBot variants, Ursnif trojan, KPOT stealer, Amadey, and Ostap downloader.

Top Vulnerabilities Reported in the Last 24 Hours

Buggy Lundblad 
The most copied StackOverflow Java code snippet written by Andreas Lundblad has been found to contain a bug. Following the discovery, Lundblad admitted to the issue and added that the code incorrectly converted byte counts into human-readable formats. The corrected version of the code has now been published.

An old flaw in Outlook actively exploited
A 2-year-old Security Feature Bypass vulnerability discovered in Microsoft Outlook is being actively exploited in the wild to execute malicious code on infected systems. The vulnerability in question is CVE-2017-11774, which exists in the Outlook Home Page feature that allows a customized view for any email folder. Users are recommended to install a security patch to prevent attacks.

An issue in Ubuntu fixed
Canonical has released a new Linux Intel microcode update to fix an issue in Ubuntu that caused Intel Skylake processors to hang after a warm reboot. The newly released version - intel-microcode-3.20191115.1ubuntu0 - reverts the microcodes for Skylake processors so that they no longer freeze.


card skimmer attack
buer malware
emotet campaign

Posted on: December 05, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!