Cyware Daily Threat Intelligence, January 16, 2020

Share Blog post

Financial organizations have always been a hotbed for cybercrime. A new cybersecurity incident affecting the customers of Brazilian financial organizations has come to notice in the past 24 hours. The attack campaign is carried out using a new variant of Metamorfo malware that collects data from a victim’s machine. The malware spreads via a phishing email that pretends to be an ‘Invoice’ notice written in the Portuguese language.

Talking further on phishing emails, security researchers have uncovered that the recently discovered Ako ransomware is using fake agreement-based emails to propagate across a company’s network. The email includes a password-protected zip which, if opened, results in the download of the malware.

A phishing attack that leverages Microsoft’s Sway to trick users into clicking bogus URLs has also been spotted in the past 24 hours. Some of the phishing pages include well-known Microsoft product logos, including SharePoint and those from real fax service providers.

Top Breaches Reported in the Last 24 Hours

P&N Bank data breach
P&N Bank in Australia is informing its customers about a data breach that may have affected their personal information. The compromised data includes names, addresses, emails, age, customer account numbers, and account balance. As many as 100,000 individuals may be impacted by the incident that occurred during a server upgrade on December 12, 2019.

PlanetDrugsDirect’s security breach
Canadian online pharmacy PlanetDrugsDirect is notifying its customers that their personal and financial information may have been affected in a data security incident. The exposed data includes customers’ names, email addresses, phone numbers, medical information, prescriptions, and payment information. Customers are advised to keep a close eye on their bank account and credit card activity.

Center for Facial Restoration targeted
The Center for Facial Restoration has received ransom demands following a cyberattack. The incident has affected an estimated 3,500 former and current patients. The attackers behind the attack had breached the clinic’s servers and obtained the complete medical records of patients.

Leaky PussyCash
An unprotected S3 bucket used by PussyCash has leaked 19.95 GB of data on the internet. The leak has exposed the personal data and likeness of over 4,000 models apart from videos, marketing materials, photographs, clips and screenshots of video chats, and zip files.

Top Malware Reported in the Last 24 Hours

New Metamorfo variant
A new variant of Metamorfo malware has been spotted collecting data from the customers of Brazilian financial organizations. The variant is distributed via a phishing email that contains a notice written in Portuguese. The notice asks the victim to download an electronic invoice that comes in a ZIP file format.

Malicious Fleeceware apps 
A new set of 25 Fleeceware apps on the Google Play Store has been identified causing monetary damage to Android users. These apps are associated with categories such as entertainment, utility, fortune-tellers, instant messengers, video editors, and beauty camera apps. They have been downloaded more than 600 million times. The apps appear to have fake five-star reviews to boost their ranking on the Play Store and attract a large number of users.

Ako ransomware
Ako is a new ransomware that was discovered last week. However, it was unclear how the ransomware spreads. It is now found that the ransomware is distributed via malicious spam emails that pretend to be a request agreement such as ‘Agreement 2020 #1775505’. The email includes a password-protected zip file named agreement.zip with the password ‘2020’ being given in the email.

Phishing attack
Cybercriminals are making use of Microsoft Sway to dupe victims into clicking on a malicious URL. Some of the phishing pages include well-known Microsoft product logos including SharePoint as well as those from real fax service providers. By hosting these malicious domains on sway[.]office[.]com, threat actors can go undetected while carrying out their malicious activities.

Top Vulnerabilities Reported in the Last 24 Hours

PoC for NSA Crypt bug released
Security researchers have released two proof-of-concept exploits for the CurveBall vulnerability, also named ‘NSA Crypt’. Tracked as CVE-2019-0601, the flaw impacts Crypt32.dll, the component that handles cryptographic operations in the Windows OS. The flaw, if exploited, can allow an attacker to launch MITM attack and intercept or fake HTTPS connections.

VMware releases a security update
VMware has advised customers using VMware Tools version 10 for Windows to update their installations to version 11 due to a local privilege escalation vulnerability. The vulnerability is tracked as CVE-2020-3941 and has been assigned a CVSS score of 7.8.


 Tags

metamorfo
vmware
nsa crypt bug
planetdrugsdirect
ako ransomware

Posted on: January 16, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.