Go to listing page

Cyware Daily Threat Intelligence, November 22, 2019

Cyware Daily Threat Intelligence, November 22, 2019

Share Blog Post

Phishing continues to be a favorite attack vector for cyber crooks to infiltrate computers and steal personal data. In the past 24 hours, security experts have come across several instances of phishing attacks against organizations and individuals. In one incident, threat actors were found using ‘fake UPS delivery email notifications’ to trick users into downloading malicious payloads. In another instance, cyber criminals impersonated the official Internal Revenue Service (IRS) website to request email addresses and passwords from users. The campaign which spanned for over 47 days was carried out via 289 different domains and 832 URLs.

The past 24 hours also saw the emergence of a new attack technique that can be used by cybercriminals to bypass ransomware protection features built into many security products and Windows 10. Termed as RIPlace, the technique works by using the DefineDosDevice function to create a DOS device. This DOS device is then used to bypass the ransomware protection solutions, while the files are encrypted.

Top Breaches Reported in the Last 24 Hours

BEC attack
Waterloo Brewing has admitted to losing $2.1 million in a BEC attack. The incident occurred in early November and involved the impersonation of a creditor employee. Waterloo has reported the matter to the local police, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the United States' Finance Crimes and Enforcement Network (FinCEN).

SAC leaks data
The Singapore Accountancy Commission (SAC) has inadvertently disclosed the personal information of 6,541 people to more than 40 recipients over four months this year. The leaked information contained data about past & current Singapore chartered accountant qualified candidates, accredited training organization personnel and other administrative personnel who joined the Singapore chartered accountant qualification program before May 17.

Allied Universal’s data leaked
Attackers have published almost 700 MB worth of stolen data and files from staffing firm Allied Universal after a deadline to receive the ransom payment was missed. Allied Universal was attacked using Maze ransomware, which after encrypting the files had demanded a ransom of 300 bitcoins (approximately $2.3 million).

Edenred attacked
A malware attack at payment solutions giant Edenred has affected an undisclosed number of its computing systems. Upon detection, the firm immediately implemented countermeasures to prevent further infection in accordance with Edenred’s established cybersecurity policies.

T-Mobile data breached again
The US telecommunication giant T-Mobile has disclosed a security breach that impacted a small number of customers of its prepaid service. Exposed data included details such as customer names, billing addresses, phone numbers, rate plans, and plan features.

WeWork exposes data
WeWork developers had left client data exposed and accessible to the public via GitHub. The issue had impacted a subset of WeWork customers based in India, China, and Europe. The exposed data contained bank account details and some personal information. The security lapse has been addressed as soon as WeWork was informed.

Top Malware Reported in the Last 24 Hours

Decryptor for Hakbit
Emsisoft has issued a new free decryption tool for the Hakbit ransomware strain which has multiple victims in the United States and Europe. The ransomware uses the AES-256 algorithm to encrypt its target files and later appends them with .crypted extension.

A new trojan named SectopRAT has appeared in the wild. The trojan is written in C# language and is capable of launching a hidden secondary desktop to control browser sessions on infected machines. The malware’s capability also includes changing browser configurations to disable security barriers and sandboxes.

New malware campaign
A new malware distribution campaign that uses ‘fake UPS delivery notification emails’ as an attack vector has been observed recently. The email contains an attachment with a filename such as “invoiceU6GCMXGLL2O0N7QYDZ” and extension .txt or .doc which is a disguised rtf file. According to analysis, the malware that resembled Cryptolocker ransomware attempts to download files by exploiting a vulnerability affecting old versions of Microsoft office.

IRS phishing campaign
A new phishing campaign that impersonates the official Internal Revenue Service (IRS) website was found requesting email addresses and passwords from users. The campaign used at least 289 different domains and 832 URLs over 47 days.

New skimming attack
A new instance of web skimming attack has emerged that tricks users into believing that they are using a payment service platform (PSP). Threat actors pull off these attacks by loading a skimmer as a fake Google Analytics library called ga.js into newly registered domains. The skimmer looks interesting as it looks like a phishing page copied from an official template for CommWeb, a payment acceptance service offered by Australia’s Commonwealth Bank.

RIPlace bypass technique
A new bypass technique called RIPlace can be used by cybercriminals to bypass ransomware protection features built into many security products and Windows 10. The technique has been tested against multiple security providing vendors such as Microsoft, Symantec, Sophos, McAfee, Carbon Black, Kaspersky, Crowdstrike, PANW Traps, Trend Micro, Cylance, SentinelOne, and Malwarebytes.

DePriMon malware downloader
A malware downloader named DePriMon registers itself as a Windows print monitor to gain persistence on infected users’ computers. The malware has been active since as early as March 2017.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft releases an update
Microsoft has released an update for a spoofing vulnerability that affects Microsoft Outlook for Android. The vulnerability, titled ‘CVE-2019-1460’, could allow an attacker to compromise the device. The vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. The vulnerability has been fixed in Microsoft Outlook for Android version 4.0.65.

Top Scams Reported in the Last 24 Hours

Phantom extortion scams
Four different instances of Phantom incident extortion scams have been observed in the wild. The first incident was uncovered in early November where multiple emails were sent to senior executives of a company in different templates. The emails threatened to release data that was breached from the recipient’s company. A similar version of the Phantom extortion scam was also used to threaten an organization to release its customers’ data. During the summer of 2019, the Cozy Bear group had leveraged the attack technique to threaten companies with DDoS attacks. However, the original incident of Phantom extortion scam revolves around blackmailing recipients with inappropriate video recording that the scammers claim to possess.


riplace bypass technique
deprimon malware
t mobile
hakbit ransomware

Posted on: November 22, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.