The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Takedowns: Emotet servers seized and NetWalker’s leak site taken down.
- Security researchers targeted: North Korean hackers conduct elaborate social engineering campaign.
- Vaccination phishing scheme: Threat actors target victims with falsified vaccine invitations.
- Another SolarWinds victim: Mimecast affected by the same threat actor.
- Ransomware: ‘Ghost’ account exploited. Attackers leverage deceased employee’s active account.
- USD 11.7 million GDPR fine for Grindr: Europe’s privacy regulation bares its teeth.
Police take down Emotet and seize NetWalker’s leak site
- Police seized control of hundreds of Emotet servers in a coordinated global operation. Emotet’s operators spread the malware using phishing and malicious website links, and then sold access to other cybercriminals to deploy Trojans, credential stealers, and ransomware.
- International police acted simultaneously to ensure Emotet did not switch servers. Police seized servers in Ukraine, Germany, France, Canada, US, UK, Lithuania, and the Netherlands.
- NetWalker’s ransomware leak site seized by joint US-Bulgarian operation. Bulgarian police took down the dark web site the ransomware group used to publish stolen data. Meanwhile, the US Department of Justice filed charges against a Canadian man, suspected of NetWalker activities.
So what? While the disruption of Emotet's operations may bring brief respite, it is likely the group's remaining team will bring replacement infrastructure online in the coming weeks.
North Korea targets security researchers to install backdoors
- North Korean hackers used fake social media accounts to build trust with researchers and then infect their systems with malware. The victims worked on vulnerability research at multiple firms.
- The threat actor possibly leveraged zero-days. The victims used fully patched and up-to-date Windows 10 and Chrome browser versions, indicating the hackers used zero-day vulnerabilities.
So what? Beware of unknown parties reaching out on social media and sending attachments. Use group policy configurations to detect and remove files with potentially malicious extensions, e.g. exe, dll.
Attackers jab at UK residents with COVID-19 phishing scheme
- Hackers steal sensitive data through COVID-19 vaccination phishing email. Masquerading as the NHS, threat actors used the promise of a vaccine to steal bank details and personal documents.
So what? Attackers continue to find new ways to use COVID-19 to scam the public and it does not look to be easing up any time soon. Double check all suspicious emails and remain vigilant.
Mimecast: Another victim of the SolarWinds attack
- Mimecast confirmed that the same threat actor behind the SolarWinds attack is responsible for the security breach it recently disclosed. Mimecast warned that encrypted credentials for some US and UK accounts were accessed, and possibly exfiltrated.
So what? While Mimecast noted the credentials were not decrypted or misused, Mimecast customers in the US and UK should err on the side of caution and reset their credentials immediately.
Nefilim Ransomware exploits ‘ghost’ account
- Attackers exploit an active admin account belonging to a deceased employee. The ‘ghost’ admin account, which held high-level access privileges, was compromised for over a month, allowing the attackers to exfiltrate hundreds of gigabytes of data.
- The release of Nefilim Ransomware was their final touch, demanding payment in return for a decryption key.
So what? Accounts of past employees should be disabled. Conduct regular active directory audits to scrutinise admin account activity and ensure your joiners, movers, and leavers process is watertight.
Grindr fined USD 11.7 million for revealing private details, in breach of GDPR
- Grindr, a popular LGBTQ dating app, was fined USD 11.7 million for revealing users’ private details to advertising firms. Norway’s Data Protection Authority (DPA) ruled Grindr’s data mining and sharing practices in breach of the General Data Protection Regulation (GDPR). The regulator noted that Grindr’s data sharing put lives at risk in countries where homosexuality is illegal.
So what? If you are collecting and sharing users’ data with third parties, ensure users are clearly informed about how their data is used.