Go to listing page

Cyware Daily Threat Intelligence, November 28, 2019

Cyware Daily Threat Intelligence, November 28, 2019

Share Blog Post

The notorious Trickbot never ceases to amaze security experts. In the past 24 hours, the trojan has been found in a new cyber espionage campaign targeting multiple organizations. For this, the attackers are leveraging SendGrid’s email delivery platform. Users who click on the SendGrid links are redirected to Google Docs, which urges them to download a document with a .exe extension. This document, when downloaded, makes an attempt to install the trojan.

New details related to the recent sale of 4 million stolen cards on the underground forum has also emerged in the past 24 hours. Security researchers have learned that the latest batch of stolen cards was siphoned from four different restaurant chains in the U.S. This includes McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee. These restaurant chains had suffered data breaches between April and July of 2019.

In a major data breach, Adobe has revealed that the official Magento marketplace has exposed the personal information of its customers. Although the number of impacted users is unknown, the exposed information includes names, email addresses, store usernames, billing addresses, phone numbers, and some commercial information.

Top Breaches Reported in the Last 24 Hours

4 million payment cards on sale
Researchers have uncovered that 4 million stolen cards that are put up for sale on Joker’s Stash belonged to customers of four restaurant chains - Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s. These restaurants had suffered a data breach after hackers compromised their payment card systems using PoS malware. The incident had occurred between April 29 and July 22, 2019.

Adobe discloses a security breach
Adobe has disclosed a security breach impacting Magento marketplace users. The attackers behind the breach exploited a vulnerability in the Marketplace website to access account information for registered users. Exposed data includes names, email addresses, store usernames, billing addresses, phone numbers, and some commercial information.

Prosegur attacked
Spanish multinational security company Prosegur has suffered a major attack involving Ryuk ransomware. The incident has disrupted the company’s telecommunication platform. All Prosegur locations in Europe are affected by the attack.

Great Plains Health medical center attacked   
Great Plains Health medical center is recovering from a ransomware attack that hit its computer network at the beginning of the week. It is believed that the Maze ransomware was used to launch the attack. The operators had demanded a ransom of 300 bitcoins worth $2.3 million. When the company refused to pay the ransom, Maze operators published a cache of 700MB worth of files on the internet.

Top Malware Reported in the Last 24 Hours

Machete info-stealer
Machete is an info-stealer malware that can harvest user credentials, chat logs, screenshots, webcam pictures, geolocation, and perform keylogging. The malware is typically distributed via social engineering techniques and malicious websites. The victim is enticed into opening the original executable under the premise that they are opening a Powerpoint presentation.

A new campaign involving Trickbot
Researchers have observed an active Trickbot campaign targeting employees of multiple organizations. The campaign involves the use of links as an infection vector. Here, the SendGrid email delivery platform is used to send lure messages. In order to trick the victims, the subject of the email is formatted to appear as a continuation of some previous conversation. The email prompts the user to download a secure document, which ultimately causes the execution of a .exe file that attempts to install Trickbot.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable smartwatch
Serious vulnerabilities discovered in the SMA-WATCH-M2, a children’s smartwatch with a GPS, could expose the data and location of thousands of children around the world. The vulnerabilities could also be abused by hackers to listen in and manipulate confidential conversations and other information.

Information disclosure vulnerability
Linux kernel versions prior to 5.3.13 are vulnerable to an information-disclosure vulnerability. The flaw can be abused to obtain sensitive information which can later be used to launch further attacks. The vulnerability in question is CVE-2019-18660.

Top Scams Reported in the Last 24 Hours

ACCC warns about Christmas scam
The Australian Competition & Consumer Commission is warning about a new Christmas scam targeting Aussies. The agency has asked users to be aware of fake websites and sellers that claim they have sent parcels for delivery. The scammers have set up fake online stores, on websites or social media, that look similar to legitimate online retailers. These fake sites offer luxury items at very low prices to lure online shoppers. Users have been advised to be cautious about such online shopping scams that include extremely low advertised prices and requests to pay through direct bank transfer or cryptocurrency.


trickbot campaign
information disclosure vulnerability

Posted on: November 28, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.