CyberIntelMag's Threat report

Weekly Cyber Threat Report, November 15 – November 19, 2021

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week the US Department of Education issued recommendations for K-12 schools about ransomware, US released new guidelines for critical technology supply chain security, researchers demonstrated a new way to identify MitM phishing kits, and more.

  • Due to the rapid spread of ransomware, K-12 schools are increasingly being attacked. As a result, the US Department of Education and the Department of Homeland Security (DHS) has urged that K-12 schools across the country enhance their cybersecurity safeguards as soon as possible.
  • Researchers from Stony Brook University and Palo Alto Networks revealed a unique fingerprinting approach that uses inherent network-level features to detect MitM phishing kits in the field, effectively automating the identification and analysis of phishing websites.
  • The Department of Home Affairs released new guidelines for Critical Technology Supply Chain Security. Businesses and consumers will be more confident in investing more significant resources in vital new technologies such as artificial intelligence, quantum computing, blockchain, and algorithmic automation as a result of this.
  • Netgear fixes a code execution flaw, CVE-2021-34991, in SOHO devices. The issue is in the device’s upnpd daemon features for handling “unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests from clients that want to receive updates only when network’s UPnP configuration changes.”
  • Microsoft has fixed a reflected cross-site scripting (XSS) flaw in Exchange Server. This vulnerability, known as CVE-2021-41349, is not exploited in the wild. It allows an attacker to change the DOM and use it to read/send emails, phish, and conduct state-changing activities in the application, among other things, much like any other XSS bug. 

From the bad news:

This week’s bad news includes the FBI’s computer system being hacked, Emotnet malware being resurfaced and using TrickBot, personal data of 7 million Robinhood customers getting leaked, StripChat faced a security breach, BrazKing Android malware got upgraded to target Brazilian banks, and others.

  • The FBI’s email servers were hacked to send spam emails that looked like FBI alerts about networks being attacked and data being stolen. According to the FBI’s Law Enforcement Enterprise Portal (LEEP), the emails were sent from an actual FBI email address,, with the subject “Urgent: Threat actor in systems.”
  • StripChat faced a security breach in which the personal information of millions of users and adult models got exposed. Stripchat viewers and models may face a digital and physical threat as a result of the exposure.
  • Emotnet used to be the most widely distributed malware. Now, the threat actors are reusing TrickBot’s infrastructure to resurrect the Emotet botnet. Network administrators should ban all associated IP addresses from preventing devices from being recruited into the freshly rebuilt Emotet botnet.
  • Robinhood announced a data breach when one of its workers was hacked, and the threat actor exploited his account to get access to the personal information of around 7 million consumers via customer care services. Later, Robinhood confirmed that thousands of phone numbers were also stolen during the breach.
  • An Android banking trojan, BrazKing, got upgraded to attack mobile banking users in Brazil. The malware has become more agile than before. The attack is performed by deploying malware on the victim’s smartphone and accessing the accessibility service.
  • Because of new ETW (Event Tracing for Windows) attacks, hackers can “blind” cybersecurity products. Several endpoint detection and response (EDR) systems use ETW to identify malware and monitor security-related events. To avoid detection, threat actors can disable ETW in their attacks.
  • Memento, a new ransomware gang, started by exploiting a VMware vCenter Server web client weakness to get early access to victims’ networks.  After security tools spot their encryption method, this group takes the uncommon step of locking files within password-protected archives.
  • Hackers used a domain fronting method to disguise command-and-control traffic by using a valid Myanmar government domain and redirecting communications to an attacker-controlled server to avoid detection.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.