Go to listing page

Cyware Daily Threat Intelligence, November 12, 2019

Cyware Daily Threat Intelligence, November 12, 2019

Share Blog Post

The lesser-known TCP SYN-ACK reflection attack (a type of DDoS attack) against organizations has amplified in last month. Researchers have found several large companies affected by a series of such attacks in October. The affected victim companies are Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting, and SK Broadband.

The past 24 hours also witnessed the UK-based Labour Party experiencing DDoS attacks on their digital platforms. While the origin of the attack is unknown, the party spokesperson has claimed that the attacks were foiled because of the party’s robust security systems.

Two notorious malware - Trickbot trojan and Sodinokibi ransomware - also made a comeback in the past 24 hours. While Trickbot was distributed via phishing emails, Sodinokibi was propagated using the RIG exploit kit.

Top Breaches Reported in the Last 24 Hours

ZoneAlarm breached
ZoneAlarm, an internet security software company owned by Check Point Technologies, has suffered a data breach. The incident has exposed data of its discussion forum users. The firm has sent a notification to users, asking them to change their account passwords. It is believed that hackers may have gained unauthorized access to their names, email addresses, hashed passwords, and birth dates.

Pemex attacked
A ransomware attack at Mexican state oil firm Pemex affected its computer servers and halted administrative work. According to an internal email, Pemex was targeted by Ryuk ransomware.  The ransomware affected less than 5% of Pemex’s computers. Pemex has asked its employees to disconnect from its network and backup critical information from hard drives.

DDoS attacks
Major companies including Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting, and SK Broadband, have suffered TCP SYN-ACK reflection attacks in the past 30 days. For most of the attacks, attackers leveraged IPv4 address space as a reflector for sending spoofed traffic.

Labour Party suffers an attack
The UK’s Labour Party has been hit with a sophisticated and large-scale cyberattack. This caused the party’s website and online campaign tools and platforms to go offline. The incident has been reported to the National Cyber Security Centre.

Top Malware Reported in the Last 24 Hours

Trickbot malware returns
A new phishing campaign disseminated in the form of fake sexual harassment complaints has been found distributing Trickbot trojan. The complaints appear to come from the Equal Employment Opportunity Commission. As a part of the campaign, the malware operators aim to collect the target’s name, the company they work for, job titles, and phone numbers.

Carding bots
Two new carding bots that pose a threat to e-commerce platforms have been detected by researchers. The bots are named as Canary bot and Shortcut bot. While Canary exploits top e-commerce platforms, Shortcut bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.

Cerberus banking trojan
Cerberus Android banking trojan has been active since June 2019. It is sold on a Russian hacking forum xss[.]is between $4000 and $12000. The trojan is capable of sending & manipulating SMS, recording keystrokes, executing USSD commands, opening fake pages of a bank, running any installed application, and more.

Sodinokibi returns
Sodinokibi ransomware has returned in a new malvertising campaign that leverages low-quality web games and blogs. The ransomware is used against Asian victims. It is distributed via the RIG exploit kit that exploits Flash Player vulnerabilities in the browser.

Top Vulnerabilities Reported in the Last 24 Hours

Magento releases update
Magento has issued a security update to address a remote code execution vulnerability affecting Magento Commerce 2.3.1 and 2.3.2 versions. The vulnerability - tracked as CVE-2019-8144 - could enable an unauthenticated user to insert a malicious payload into a merchant’s site and execute it.

Nautilus ATM flaws
Two vulnerabilities have been found in ATM machines widely used across the U.S. The flaws could allow a determined criminal to steal cash and customer data. The flaws affect ATM manufactured by Nautilus Hyosung America Inc. The company has released firmware security updates to mitigate the issues.

Top Scams Reported in the Last 24 Hours

Fake crypto mining scam
A new scam that is used to distribute a password and a data-stealing trojan, is underway on YouTube. Scammers are using videos to promote a fake tool that can allegedly generate private keys to steal other people’s bitcoins. The videos also contain links to download the trojanized program from Yandex, Google Drive, and Mega. The malware that is distributed in the scam is Predator The Thief. Once installed, the malware communicates with the C2 server to download further components, other malware, and send information back to the attackers.


carding bots
sodinokibi ransomware
tcp syn ack reflection attack
trickbot trojan

Posted on: November 12, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite