Cyber Security Headlines – May 12, 2022

Old botnets are new again

Nuspire’s Q1 2022 Threat Report found a resurgence in activity from several older botnets including Mirai, STRRAT, and Emotet. Mirai and STRRAT showed a spike in activity with the rise of the Spring4Shell vulnerability in February 2022. Overall Nuspire found botnet activity on the whole up 12.21% in Q1 compared to Q4. 

And researchers at Secureworks’ Counter Threat Unit found new malware samples in VirusTotal that show evidence of new activity from the REvil ransomware organization. These samples showed modifications to known REvil samples, indicating its under active development. REvil’s TOR server infrastructure was seized by a multi-country law enforcement operation in October 2021.

(Security Magazine)

Meta withdraws Oversight Board guidance request

Meta initially requested guidance from the Oversight Board on its content moderation decisions around Russia’s invasion of Ukraine. This is the first request Meta has withdrawn. The company said it withdrew the guidance request due to “ongoing safety and security concerns” but did not elaborate on any specifics. The Board said it was “disappointed” by Meta’s decision but said it did not “diminish Meta’s responsibility” about ongoing content moderation issues that have cropped up since the start of the war. 

(Axios)

EU proposes new CSAM rules

The European Commission unveiled a plan that would require tech companies in Europe to scan platforms and products for child sexual abuse material or CSAM. While many platforms already scan for hashed versions of known CSAM, this new plan would let EU countries require tech companies to seek out and report new CSAM. Some privacy experts warn that this law could force platforms to create encryption backdoors in order to be in compliance, as scanning for new CSAM would not have hashes to go off of. The plan requires approval of EU member states and the European Parliament, so it may be years until a final version of this plan becomes effective.

(Protocol)

AMD and Google audit Epyc CPU security

Google Cloud released its detailed audit of AMD’s Secure Processor used in its Epyc CPUs. This involved providing Google’s Project Zero and Cloud security teams with closely guarded AMD source code. This also allowed Google access to use specialized hardware to mount physical attacks against AMD silicon. Its unclear how many vulnerabilities were discovered in this collaboration, but did list some specific findings, outlined potential attack scenarios, and offered general areas of improvement. The goal was to better secure Google’s Confidential Virtual Machines offering.

(Wired)

Thanks to our episode sponsor, Datadog

In this on-demand webinar, you’ll learn how to best utilize the suite of Datadog Cloud Security products to identify the root cause of an attack and how a unified platform provides real-time threat-detection and continuous configuration audits across applications, hosts, containers and cloud infrastructure.
Built on top of the observability platform, Datadog brings unprecedented integration between security and devops aligned to shared organizational goals.
Watch the on-demand webinar now to learn how to get full-stack security for your production environment at datadoghq.com/ciso/

Biden signs cybercrime bill into law

The new Better Cybercrime Metrics Act requires the Justice Department to work with the National Academy of Sciences to develop a taxonomy for cybercrime that can be used by law enforcement agencies. It also requires the Justice Department to create a category in the National Incident-Based Reporting System for various cybercrime categories, so that reports from federal, state, and local officials can be more easily tabulated and studied. The Act also mandates the Government Accountability Office to issue a report on the effectiveness of existing cybercrime mechanisms. The Better Cybercrime Metrics Act received bipartisan support, passing the Senate in December, followed by the House in March. 

(The Register)

Vanity URLs could be social engineering fodder 

Researchers at Varonis note that company-branded URLs added to well-known cloud services could be an effective phishing attack vector, as these could easily contain modified subdomains. These spoofed vanity URLs could seem completely legitimate and lead to the actual cloud service, but be used to host malicious documents or webinars. Varionis notified both Box and Zoom about potential issues with vanity URLs last year, with both taking measures to largely remediate the issue. But the researchers warn many other cloud services could be vulnerable to similar social engineering. 

(Dark Reading)

Years-long phishing scheme targeted German automakers

Researchers at Check Point documented this campaign, which targeted a host of German companies in the automotive supply chain, from manufacturers to dealerships. Starting in July 2021, the actors created lookalike domains of legitimate sites, using them to send phishing emails laden with malware payloads sent as ISO disk image files to avoid detection. Check Point identified 14 targeted entities, with messages tailored for each organization. Information stealing payloads were registered to by an Iranian persona. The campaign’s goal appears to be industrial espionage.

(Bleeping Computer)

A look at ransomware trends of 2022

SecureList put out a list of ransomware trends to be on the lookout for in the rest of the year. One that we’ve seen on this show before is threat actors trying to develop cross-platform ransomware to be as adaptive as possible. We’ve seen this with ransomware being written in Rust and Golang to make it easier to port to other platforms, as well as harder to analyze. Another trend is the industrialization of ransomware, with affiliate models for ransomware increasingly the norm. As we’ve seen in the Conti leaks, in many ways, these ransomware operations run on typical software development practices. The Conti leaks are also illustrative of the third trend, ransomware gangs taking sides in geopolitical conflicts. We saw the pro-Russian stance of Conti leading directly to leaked data by pro-Ukranian members. 

(SecureList)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.