Go to listing page

Cyware Daily Threat Intelligence, October 02, 2019

Cyware Daily Threat Intelligence, October 02, 2019

Share Blog Post

Cybercriminals are now using a new technique to up the ante of BEC scams. A Nigeria-based threat actor group called Silent Starling is using stolen login credentials of vendors to launch phishing attacks against organizations across the world. Dubbed ‘vendor email compromise’, the scam has affected over 500 companies located in 14 countries.

The past 24 hours also saw the return of Emotet trojan and a new variant of the infamous Adwind RAT. The notorious Emotet trojan, which made a comeback in September after a gap of four months, is using a new malicious document to infect its targets. The documents are disguised as a Microsoft Office Activation Wizard to trick security solutions.

On the other hand, a new variant of Adwind RAT has been targeting organizations in the US petroleum industry. The variant includes several obfuscation techniques to evade detection while continuing with its infection process.

Top Breaches Reported in the Last 24 Hours

Hospitals attacked
Ten hospitals - three in Alabama and seven in Australia - have been forced to shut down their IT operations following a series of ransomware attacks. The affected hospitals in Alabama are DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center. The impacted hospitals in Australia include hospitals in Gippsland and southwest Victoria.

Vulnerable Oyo platform
Hospitality chain Oyo’s customer data is vulnerable to a breach due to a flaw in its security systems. The vulnerable data includes booking IDs, phone numbers, the number of people staying in a room, the date of the booking, and location. Oyo said the vulnerability was limited to a single property and was fixed immediately on being notified.

Drury Hotels data breach
Drury Hotels is notifying certain guests of a security incident that occurred on the network of a third-party technology service provider. The compromised information involved data related to transactions made through third-party online booking websites. The breach affected the details of those customers who made transactions between December 28, 2017, and June 2, 2019.

Top Malware Reported in the Last 24 Hours

Fake browser updates
In a campaign, observed between May and September 2019, attackers have been found utilizing hacked websites to promote fake browser updates. These fake browser updates are actually used to infect targets with banking trojans. The fake updates warn the victims about using an old version of a web browser and that they should download an offered ‘updated’ version.

Emotet trojan is back again
Threat actors have switched to a new template of malicious attachments to spread the nefarious Emotet trojan. The malicious document is disguised as a Microsoft Office Activation Wizard. The document once executed, enables the macros which in turn download and install the trojan.

A massive cyberespionage campaign carried out against hundreds of well-known publishers has been identified by security researchers. The attackers launched the attacks using a new malware called Ghost-3PC. It was conducted between August and September. The malware was distributed through conventional ad blockers in order to hijack mobile browser sessions in the U.S. and Europe.

Vendor email compromise
Security researchers have spotted a new form of email scam dubbed ‘vendor email compromise’. The scam is believed to be carried out by a Nigeria-based cybercriminal gang named Silent Starling. The threat actors attempt to steal email login credentials from vendors in order to initiate the scam. Over 500 companies in 14 countries have fallen victim to this new type of scam.

Adwind’s new version
A new variant of the infamous Adwind RAT is targeting companies in the US petroleum industry. The variant includes advanced features such as multi-layer obfuscation techniques to evade detection. The malware is distributed via spam messages that include malicious URLs.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Android’s VoIP components
A team of academics has uncovered eight vulnerabilities in the Android operating system’s VoIP components. These vulnerabilities can be exploited to do a variety of malicious activities such as making unauthorized VoIP calls, spoofing caller IDs, denying voice calls and even executing malicious code on users’ devices. The flaws affect recent versions of the Android OS, from Android 7.0 to 9.0.

URGENT/11 affects more devices
The recently discovered URGENT/11 vulnerability has been found infecting a long-range of IoT devices that do not use VxWorks operating system. The vulnerability in the decades-old networking code used by several Real-Time Operating (RTO) systems.

Vulnerable Cisco products
A vulnerability, dubbed as Prying-Eye, has been discovered in Cisco Webex and Zoom video conferencing platforms. The flaw can allow an attacker to enumerate or list and view active unprotected meetings. Users are advised to follow up with the advisory provided by Cisco and Zoom to address the issue.


adwind rat
ghost 3pc
urgent11 vulnerability
emotet trojan
vendor email compromise

Posted on: October 02, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.