header image

Cyber Intelligence Briefing: 29 January 2021

Billy Gouveia, Mona Damian 29 January 2021
29 January 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

Cyber Threat Intelligence Briefing

Police take down Emotet and seize NetWalker’s leak site

  • Police seized control of hundreds of Emotet servers in a coordinated global operation. Emotet’s operators spread the malware using phishing and malicious website links, and then sold access to other cybercriminals to deploy Trojans, credential stealers, and ransomware.[1]
  • International police acted simultaneously to ensure Emotet did not switch servers. Police seized servers in Ukraine, Germany, France, Canada, US, UK, Lithuania, and the Netherlands.[2]
  • NetWalker’s ransomware leak site seized by joint US-Bulgarian operation. Bulgarian police took down the dark web site the ransomware group used to publish stolen data. Meanwhile, the US Department of Justice filed charges against a Canadian man, suspected of NetWalker activities.[3]

So what? While the disruption of Emotet's operations may bring brief respite, it is likely the group's remaining team will bring replacement infrastructure online in the coming weeks.

North Korea targets security researchers to install backdoors

  • North Korean hackers used fake social media accounts to build trust with researchers and then infect their systems with malware. The victims worked on vulnerability research at multiple firms.[4]
  • The threat actor possibly leveraged zero-days. The victims used fully patched and up-to-date Windows 10 and Chrome browser versions, indicating the hackers used zero-day vulnerabilities.

So what? Beware of unknown parties reaching out on social media and sending attachments. Use group policy configurations to detect and remove files with potentially malicious extensions, e.g. exe, dll. 

Attackers jab at UK residents with COVID-19 phishing scheme

  • Hackers steal sensitive data through COVID-19 vaccination phishing email. Masquerading as the NHS, threat actors used the promise of a vaccine to steal bank details and personal documents.[5]

So what? Attackers continue to find new ways to use COVID-19 to scam the public and it does not look to be easing up any time soon. Double check all suspicious emails and remain vigilant.

Mimecast: Another victim of the SolarWinds attack

  • Mimecast confirmed that the same threat actor behind the SolarWinds attack is responsible for the security breach it recently disclosed.[6] Mimecast warned that encrypted credentials for some US and UK accounts were accessed, and possibly exfiltrated.

So what? While Mimecast noted the credentials were not decrypted or misused, Mimecast customers in the US and UK should err on the side of caution and reset their credentials immediately. 

Nefilim Ransomware exploits ‘ghost’ account

  • Attackers exploit an active admin account belonging to a deceased employee. The ‘ghost’ admin account, which held high-level access privileges, was compromised for over a month, allowing the attackers to exfiltrate hundreds of gigabytes of data.[7]
  • The release of Nefilim Ransomware was their final touch, demanding payment in return for a decryption key.[8]

So what? Accounts of past employees should be disabled. Conduct regular active directory audits to scrutinise admin account activity and ensure your joiners, movers, and leavers process is watertight.

Grindr fined USD 11.7 million for revealing private details, in breach of GDPR

  • Grindr, a popular LGBTQ dating app, was fined USD 11.7 million for revealing users’ private details to advertising firms.[9] Norway’s Data Protection Authority (DPA) ruled Grindr’s data mining and sharing practices in breach of the General Data Protection Regulation (GDPR). The regulator noted that Grindr’s data sharing put lives at risk in countries where homosexuality is illegal.

So what? If you are collecting and sharing users’ data with third parties, ensure users are clearly informed about how their data is used.

 

References

[1] ‘International Action Targets Emotet Crimeware’, Krebs on Security, 27 January 2021.

[2] Ibid.

[3] ‘Emotet Takedown Disrupts Vast Criminal Infrastructure; NetWalker Site Offline’, ThreatPost, 27 January 2021.

[4] ‘North Korean hackers are targeting security researchers with malware, 0-days’, Bleeping Computer, 25 January 2021.

[5] ‘Beware of this active UK NHS COVID-19 vaccination phishing attack’, Bleeping Computer, 25 January 2021.

[6] ‘Mimecast links security breach to SolarWinds hackers’, Bleeping Computer, 26 January 2021.

[7] ‘Nefilim Ransomware Attack uses “Ghost Credentials’, Sophos, 26 January 2021.

[8] Ibid.

[9] ‘Grindr is fined $11.7 million under European privacy law.’ New York Times, 25 January 2021.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report