Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 5, 2019

Since returning to operation in September, Emotet trojan has emerged again as a deadly threat in the cybersecurity world. In a new finding, researchers have highlighted that the operators of the prolific trojan are actively exploiting vulnerable servers of SMEs across APAC to distribute different variants of Emotet. An important aspect of the ongoing campaign is that the threat actors are using compromised domains to host and deliver Emotet executables.

Digging further on vulnerabilities, threat actors have also been spotted abusing a two-year-old Security Feature Bypass vulnerability in Microsoft Outlook to execute malicious code on infected systems. Users are urged to apply the recommended security update to avoid falling prey to attacks.

Multiple payment card skimming attacks were also observed in the past 24 hours. The affected companies include the UK activewear retailer Sweaty Betty and four Heroku-based online retail shops.

Top Breaches Reported in the Last 24 Hours

BAT’s website compromised

A Romanian web platform owned by a tobacco company British American Tobacco (BAT) has suffered a ransomware attack. The incident came to light after a ransom note was found on an unsecured Elasticsearch server located in Ireland. The database contained close to 325 GB of sensitive data. The attackers had gained access to the data and left a readme file for ransom request. The compromised data includes personally identifiable information of users.

Magecart skimmer attack

A Magecart skimmer attack on the UK activewear retailer Sweaty Betty resulted in the compromise of customers’ payment information. Threat actors had injected malicious code in checkout and other similar pages that asked for payment information. The stolen payment information included customers’ names, Sweaty Betty passwords, billing addresses, delivery addresses, and more.

CyrusOne attacked

The biggest data center provider in the US, CyrusOne, has been hit by Sodinokibi ransomware. The infection took place on December 4, 2019, when a variant of the ransomware infected the systems of the company. CyrusOne has since informed its customers about the attack.

Another card skimmer attack

Four online retail shops that use the Heroku cloud platform have been compromised using payment card skimmers. The hackers behind the scheme not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit card data.

Top Malware Reported in the Last 24 Hours

Emotet campaign

New research has revealed that a large number of vulnerable servers of small and mid-size enterprises across APAC are now being exploited by Emotet actors to distribute Emotet variants. The modus operandi of the campaign includes the use of compromised domains to host and distribute Emotet delivery documents and executables.

Great Cannon DDoS tool

The Great Cannon Distributed Denial of Service (DDoS) tool was deployed to launch attacks against the LIHKG social media platform used by Hong Kong protestors. The purpose of the tool was to hijack traffic and arbitrarily replace unencrypted content as a man-in-the-middle.

New Buer malware downloader

A new modular loader called Buer is being actively sold in prominent underground marketplaces. Researchers have uncovered that the malware has been used in several attack campaigns that involve phishing emails and malvertisement. The malware dropped by Buer includes DreamBot variants, Ursnif trojan, KPOT stealer, Amadey, and Ostap downloader.

Top Vulnerabilities Reported in the Last 24 Hours

**Buggy Lundblad **

The most copied StackOverflow Java code snippet written by Andreas Lundblad has been found to contain a bug. Following the discovery, Lundblad admitted to the issue and added that the code incorrectly converted byte counts into human-readable formats. The corrected version of the code has now been published.

An old flaw in Outlook actively exploited

A 2-year-old Security Feature Bypass vulnerability discovered in Microsoft Outlook is being actively exploited in the wild to execute malicious code on infected systems. The vulnerability in question is CVE-2017-11774, which exists in the Outlook Home Page feature that allows a customized view for any email folder. Users are recommended to install a security patch to prevent attacks.

An issue in Ubuntu fixed

Canonical has released a new Linux Intel microcode update to fix an issue in Ubuntu that caused Intel Skylake processors to hang after a warm reboot. The newly released version - intel-microcode-3.20191115.1ubuntu0 - reverts the microcodes for Skylake processors so that they no longer freeze.

Related Threat Briefings