We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 3, 2021

Let’s open this newsletter with a fresh piece of news that came in the form of the BlackMatter ransomware gang announcing to close shop. Is this the end or will they emerge under a new brand? Only time will tell. However, not all is sunshine and rainbows in the world of cybersecurity as you can see. Such is the sophistication and malicious intent of ransomware gangs that the FBI issued a notification, warning companies against specialized ransomware attacks timed around sensitive financial events.

Mekotio banking trojan made a comeback with advanced detection evasion features. Last month, law enforcement arrested 16 individuals related to Mekotio operations. Nevertheless, the malware continues to propagate across South America with greater gumption.

Top Breaches Reported in the Last 24 Hours

FBI warns against special ransomware attacks

The FBI issued a Private Industry Notification (PIN) to warn against targeted ransomware attacks at organizations that deal with time-sensitive financial events, such as mergers and acquisitions. Ransomware actors choose the targets on the basis of imminent events that could impact the victim’s stock value. The PIN includes recommendations to reduce the effect of ransomware attacks.

Medical school exposes data

A medical training school, Phlebotomy Training Specialists, in the U.S. exposed the PII of thousands of students due to an unsecured Amazon S3 bucket left open online. The server was accessible to anyone with an internet connection and contained 157GB of data. The PII includes ID card and driver’s license copies, names, email addresses, phone numbers, genders, birth dates, photos, and educational and professional summaries.

BlackShadow hijacks Cyberserve

BlackShadow is an Iranian state-sponsored threat actor that has launched an attack on Cyberserve, a web hosting provider in Israel, to exfiltrate the customer database and halt the organizational processes. The attackers have demanded a ransom of $1 million in cryptocurrency and have offered a deadline of 48 hours, after which they will expose the stolen information. The group has already released 1,000 documents that include personal information from an Israeli LGBTQIA site, Kavim public transportation company, Pegasus tour booking company, and the Israeli Children’s Museum.

Top Malware Reported in the Last 24 Hours

Mekotio trojan resurfaces

The Mekotio banking trojan has made an appearance with enhanced detection evasion capabilities and has launched almost 100 attacks in the span of the last three months. One of the latest features of the trojan includes a modular attack that enables attackers to change a small portion of the whole to remain undetected. The attacks were mainly launched in Brazil, Mexico, Spain, Peru, and Chile. Mekotio is capable of exfiltrating usernames and passwords to gain access to financial institutions.

BlackMatter to shut down

A post by BlackMatter announced that the gang is shutting down its operations due to increased pressure from local authorities and recent actions by law enforcement. The note also states that team members are missing, which might allude to the arrest of 12 individuals, by internal law enforcement, connected to 1,800 ransomware attacks in 71 nations.

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerability in macOS

A critical flaw detected in the System Integrity Protection within the macOS ecosystem could have enabled attackers to install rootkits on targeted Macbooks. The flaw, in addition, impacted the packages signing mechanism and installation process of post-install scripts. Tracked as CVE-2021-30892, the vulnerability was found in macOS Monterey 12.0.1 and Big Sur and Catalina updates and has been patched.

Multiple flaws in FreeSwitch

A set of five vulnerabilities have been identified in FreeSwitch, a telecoms stack software. The bugs lead to denial of service, information leakage, and authentication issues for systems running the software. Three of the vulnerabilities are tracked as CVE-2021-41105, CVE-2021-$1145, and CVE-2021-37624, with CVSS scores of 7.5, 8.6, and 7.5, respectively, and rated high-severity.

Top Scam Reported in the Last 24 Hours

Latest Discord scam

An active scam is making the rounds of Discord and is disseminated via bot accounts or accounts owned by scammers. This scam is not after Discord credentials but is actually preying on Steam users and lures targets with free Discord Nitro. They are sent a link that asks them to connect their Steam account and enjoy free Nitro for a month.

Related Threat Briefings