The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Emotet activity continues to dominate. Emotet malware activity continues to be a leading source of spam. The malware botnet resurfaced in July after a hiatus.
- Patching Zerologon becomes a priority. Underscoring the criticality of the Zerologon vulnerability, the US Department of Homeland Security advised federal agencies to have patches in place by 21 September 2020.
- In other stories this week, CISA advisories abound, NIST guidance receives a makeover, and Russia moves to ban the use of secure protocols.
Emotet continues its comeback
- The world’s largest malware botnet continues to ramp up, possibly making up for lost time after a security “vigilante” sabotaged the botnet back in July by replacing payloads with GIFs.
- The heightened-level of Emotet activity observed in the last few weeks has led to recent advisories from several Computer Emergency Response Teams (CERTs), including those of Italy, France, the Netherlands, and New Zealand warning about the ongoing spam operation.
- Microsoft and Italian authorities highlight that Emotet campaigns now leverage password-protected ZIP files instead of Office documents.
So what for security teams? Emotet remains a force to be reckoned with. Staying up-to-date on latest Emotet tactics and techniques through the use of actionable threat intelligence, deploying anti-phishing controls, and ensuring employees remain vigilant in spotting phishing emails must remain a core focus of any security team.
US federal agencies advised to urgently patch Zerologon vulnerability
- US Department of Homeland Security issued an emergency directive over the weekend telling federal agencies to install a security patch for Windows Servers to fend off the “unacceptable risk” of CVE-2020-1472, known as Zerologon.
- While Microsoft issued a patch for the vulnerability in August, it was the weaponized proof-of-concepts that emerged last week that really highlighted how dangerous the vulnerability could be. The bug could be used to hijack Windows Servers running as domain controllers, and from there taking over a whole internal network.
So what for security teams? Emergency directives from DHS’s cyber division are rarely issued and so a sign of the potentially dangerous nature of the bug. Security teams even outside those of federal agencies who use Windows Servers as domain controllers should look to update their Windows Servers accordingly.
Election result delays could be used by actors seeking to spread disinformation
- An advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) warns threat actors could make use of any delays in reporting the results of November’s US Presidential Election to spread disinformation.
- The advisory warns the threat actors “could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process.”
- The recent surge in mail-in ballots and states’ difficulties in meeting mail-in ballot needs has led to warnings from experts that the election result could encounter serious delays, thus leaving plenty of room for malicious actors to use the delays to spread disinformation.
So what? Disinformation in the digital era remains a high-priority national security concern as the United States moves into election season. Verifying information and relying on credible sources, particularly when consuming information on social media, remains of utmost importance in order to prevent malicious actors from successfully using active measures to undermine the democratic process.
Not all industries patch equally
- New research from Kenna Security and the Cyentia Institute show that different industries deal very differently with patching cadences, including patching for high-risk security flaws.
- The report assesses the financial, manufacturing, medical, and technological industries. The healthcare sector stood out as being particularly slow to patch in contrast to its peers. While the average patching time across the industries assessed was 34 days, healthcare organisations on average took 50 days to patch common vulnerabilities.
So what for security teams? Unpatched vulnerabilities pose a significant risk. The most popular entry vector for threat actors to an environment remains phishing and unpatched systems. Having a rigorous, agile vulnerability management programme in place will significantly enhance any organisations security posture.
So what for leadership teams? A slow patching cadence exposes an organisation to significant risks. Ensuring the security team has the capacity to patch systems swiftly, particularly critical flaws, should be among a business’s security priorities.
NIST unveils update to its security controls catalog
- The National Institute of Standards and Technology, NIST, has unveiled a “historic” overhaul of its flagship security and privacy guidance document Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organisations.
- NIST’s SP 800-53, Revision 5 promises to address structural issues and technical content. The revisions include more outcome-based controls, consolidated controls to serve both security and privacy communities, and establishing a new Supply Chain Risk Management control family.
So what for leadership? This revision of NIST’s flagship controls framework lays the foundation for an organisation’s security, privacy, and supply chain risk management programmes. The revision highlights that, as threat actors’ techniques and tools evolve, so should our security thinking. This latest revision of NIST’s controls catalog should help guide any organisation with putting the controls in place that best serves its security and privacy needs.
Russia seeks to ban the use of secure encryption protocols
- The Russian government is updating its technology laws so that the use of modern encryption protocols are banned. Internet protocols that employ encryption, such as TLS 1.3 and ENSI hinder the government’s surveillance operations.
- It should be noted that the government aren’t looking to ban all encryption communications, such as HTTPS; the government wants to ban the use of internet protocols that mask the name of web pages inside HTTPS traffic.
- Third parties, such as telecom providers are able to determine the site that users are connecting to, even when traffic is encrypted through the HTTPS protocol.
So what? As Russia clamps down on the use of the increasingly popular secure internet protocols so that its surveillance techniques are not rendered futile, any company that uses technology to hide its website identifier in encrypted traffic will be banned inside Russia. For organisations with business operations in Russia, this is going to be a big problem.
Indicators of compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.
Emotet heightened spam activity
The security researcher collective Cryptolaemus (@Cryptolaemus1) continues to be a prime resource for Emotet IOCs:
 ‘FBI, CISA: Foreign actors likely to spread disinformation on election results’, CyberScoop, 22 September 2020
 ‘Healthcare lags behind in critical vulnerability management, banks hold their ground
New research sheds light on which industries are performing well when it comes to patching high-risk’, ZDNet, 22 September 2020