This week’s Cyber Security Headlines – Week in Review, April 26-30, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Jerich Beason (@blanketSec), CISO, Epiq.
Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.
Emotet malware officially removed from all infected devices globally
The infamous botnet that once empowered over 70% of global infections was apparently successfully uninstalled from all infected systems globally, yesterday.German police, in association with other police agencies, has captured the C2 servers of Emotet botnet and disabled operations. Emotet was infamous for making backdoors through which second-stage payloads such as Qbot and TrickBot, were able to procure ransomware malware such as ProLock, Ryuk, and Conti. This botnet was reported to have been operated by TA542, also known as Mummy Spider.
Computer security world in mourning over death of Dan Kaminsky
Celebrated information security researcher Dan Kaminsky, has died. He was 42. Though Kaminsky rose to fame in 2008 for identifying a critical design weakness in the internet’s infrastructure – and worked in secret with software developers to mitigate the issue before it could be easily exploited – he had worked behind the scenes in the infosec world for at least the past two decades. He was heralded for his work in spotting flaws in SSL, and in automating the detection of Conficker malware infections. He had been a stalwart of the security research scene for years, and was a much-loved regular at conferences big and small. He would talk with and advise anyone – even paying the entrance fees for some researchers or letting them crash in his hotel room floor – and it was this generosity that people are overwhelmingly remembering this weekend.
(The Register and all of us at CISOSeries.com)
India demands removal of critical COVID response content
The New York Times reports that the Indian government ordered roughly 100 posts critical of the country’s COVID-19 response from Twitter, Facebook, and Instagram be removed, claiming the posts were misleading and could incite panic. The platforms complied with the order. Twitter specifically blocked the posts in India but remained available elsewhere, saying that the block was required by local law but that the post did not violate any Twitter policies. Indian law allows for local employees of social media platforms to be jailed for not complying to takedown notices.
(NYT)
The state of ransomware in Q1
According to Coveware’s Quarterly Ransomware Report, Q1 saw the average ransomware payment increase 42% from Q4 2020 to $220,298, with median payments up 59% to $78,398. While considerable increases, these both are still below the peaks in ransom payments seen in Q3 2020. A small number of very high ransoms tied to the CloP ransomware group pulled the average higher. Data extortion ransomware attacks continued to gain in popularity, now accounting for 77% of all ransomware attacks, up 10% on the quarter. Remote desktop compromises were the most common vector, surpassing email phishing and making up just under 50% of all attacks, and most common in organizations over 10,000 employees.
(Coveware)
Thanks to our episode sponsor, Aptible
Ransomware gang threatens to expose police informants if ransom is not paid
The Babuk Locker gang claims it has downloaded more than 250 GB of data from the Metropolitan Police Department of the District of Columbia. It is now giving DC Police officials three days to respond to their ransom demand; otherwise, they say they will contact local gangs and expose police informants. The gang posted screenshots on Tor that suggest it had obtained access to investigation reports, officer disciplinary files, documents on local gangs, mugshots, and administrative files. The Babuk Locker gang is one of the most recent ransomware groups today and is behind the attack on the NBA’s Houston Rockets that we reported on yesterday.
Babuk ransomware operators announce shutdown
In a forum post titled “Hello World 2,” the operators said they intend to close up shop. Often when ransomware groups cease operations, they release their encryption keys. However the Babuk operators plan to make the source code for Babuk file-encrypting malware publicly available after they close down. The message was modified and subsequently taken down on the forum. One version indicated the group’s recent attack on the Metropolitan Police Department was its final goal, indicating their shutdown was forthcoming. Babuk only began operating at the beginning of 2021, but quickly targeted enterprise organizations with sophisticated methods, using ransomware customized for each victim with a hardcoded extension, ransom note, and Tor URL for contact.
FBI shares four million email addresses used by Emotet with Have I Been Pwned
Now that Emotet has been removed from victim machines globally, the millions of email addresses collected by the botnet for malware distribution campaigns have been shared by the FBI as part of the agency’s effort to clean infected computers. Individuals and domain owners can now learn if Emotet impacted their accounts by searching the database. Given its sensitive nature, the Emotet data is not publicly searchable. Subscribers to the service that were impacted by the breach have already been alerted, says HIBP creator, Troy Hunt.
Now we need to worry about deepfake satellite images
Concerns about deepfakes, or AI-generated images, usually centers around using it to swap faces, with concerns about impersonating other people. But geographers at the University of Washington recently published a paper documenting the ways that deepfakes could be used on geographical satellite images. The paper warns that these are much easier to pass off as credible, both because of the lower resolution images, and because the public generally assumes these images are already credible. An analyst at the National Geospatial-Intelligence Agency also imagined the military implications of faked satellite imagery in a 2019 paper, with fakes maps used to mislead troops. The University of Washington paper hopes to spread awareness of the possibility of deepfake maps, and the relative ease of generating them. (The Verge)
Linux malware used to backdoor systems for years
Security researchers at Qihoo 360’s Network Security Research Lab discovered the RotaJakiro malware, which first had samples uploaded in 2018, but remained undetected by VirusTotal’s anti-malware engines. Domains for the malware’s C2 servers were registered in December 2015. This was designed to operate as quietly as possible, using multiple forms of encryption on its communications and encrypting its resource information in samples reviewed by researchers. The malware has a different set of protocols whether installed on a root on non-root user, with 12 functions related to data exfiltration. Three functions are tied to the execution of specific plugins, although it’s unclear what these plugins are.
Do we still need manual pen-testing?
A recent survey of IT and security managers by CyCognito looked into whether manual pen-testing remains valuable to organizations as autonomous options grow. The survey found pen-testing is most commonly used to measure a company’s overall security posture and prevent breaches. 60% of respondents were concerned that pen-testing does not comprehensively cover infrastructure and leaves blind spots, while 44% said the cost was prohibitively high to be comprehensive, and 36% said it provides only periodic snapshots of security performance. The survey found organizations still find manual pen-testing is “a valid way to surface some vulnerabilities in specific, scoped portions of an attack surface at a single point in time,” but that cost and increasing surface area to cover requires this to be done in conjunction with automated systems. (Security Week)