Cyware Daily Threat Intelligence, January 31, 2020

Share Blog post

Looks like the prolific TA505 threat actor group is back from vacation. This Russian-speaking cybercrime group has been spotted behind an ongoing phishing campaign that delivers a new variant of the Dudear malware - which later downloads the info-stealing trojan GraceWire. The campaign also marks the adoption of HTML redirectors attached to emails.

In another incident, the infamous Trickbot trojan has shifted its focus to the Wsreset.exe program UAC bypass to target Windows 10 users. This allows the trojan to run silently in the background while it harvests saved login credentials, SSH keys, browser history, cookies, and more.

The last 24 hours also saw Cisco issuing security patches for two high-severity vulnerabilities in Small Business Switches. The flaws can be exploited by unauthenticated attackers to access sensitive device data and to trigger a DoS condition.

Top Breaches Reported in the Last 24 Hours

Toll Group goes offline
Some systems at transport and logistics company Toll Group have been taken offline following a suspected cybersecurity incident. The firm believes that customer applications may have been affected in the attack.

NEC compromised
The Japanese electronics giant NEC was the target of a cyberattack that resulted in unauthorized access to its internal network. The firm has confirmed that the malicious users illegally accessed around 28,000 files from one of its servers. However, these files did not contain any confidential information or personal information.

VCRN’s patient data breached
A phishing attack at the VillageCare Rehabilitation and Nursing Center (VCRN) has affected the personal and medical information for 674 of its patients. The information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, and ID numbers of patients.

Top Malware Reported in the Last 24 Hours

Trickbot adds a new bypass
The Trickbot trojan has switched to a new UAC bypass that utilizes the Wsreset.exe program to infect Windows 10 systems. The trojan is now exploiting this UAC bypass to launch itself with elevated privileges but without the logged in Windows user being notified by a UAC prompt. This allows the trojan to run silently in the background while it harvests saved login credentials, SSH keys, browser history, cookies, and more.

New Evil Corp campaign
Microsoft has detected an ongoing Evil Corp phishing campaign that delivers malicious payloads through Excel documents. The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download of Dudear—a malicious macro-laden Excel file that drops the payload. The campaign is being carried out by the TA505 threat actor group.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco issue patches
Cisco has issued security patches to address two high-severity vulnerabilities in Small Business Switches. The flaws can be exploited by unauthenticated attackers to access sensitive device data and to trigger a DoS condition. The two flaws are CVE-2019-15993 and CVE-2020-3147.

Flawed Microsoft Azure
Researchers have released technical details of two recently fixed flaws in Microsoft Azure services. The flaws could allow hackers to take over cloud services. The flaws are tracked as a request spoofing issue (CVE-2019-1234) and a remote code execution flaw (CVE-2019-1372).

BIOS updates released
Vulnerabilities in Dell and HP laptops can allow an attacker to access information and gain kernel privileges via the devices’ Direct Memory Access (DMA) capability. Following the discovery, both the manufacturers issued BIOS updates to address the issues.

Top Scams Reported in the Last 24 Hours

Tax refund scam
A new wave of phishing scams that tricks unsuspecting users into handing over their credit card details or passwords has been observed recently. The victims are lured into giving up their private information including their name, address, phone number, and card details with a promise of tax refunds. Therefore, users are recommended to look for spelling mistakes, names for government agencies, and email addresses to prevent themselves from falling victim to such scams.

 Tags

villagecare rehabilitation and nursing center vcrn
bios updates
evil corp campaign
toll group

Posted on: January 31, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!