This week’s Cyber Security Headlines – Week in Review, April 26-30, 2021, is hosted by Steve Prentice (@stevenprentice) with our guest, Jerich Beason (@blanketSec), CISO, Epiq.

Cyber Security Headlines – Week in Review is live every Thursday at 4pm PT/7pm ET. Join us each week by registering for the open discussion.

Emotet malware officially removed from all infected devices globally

The infamous botnet that once empowered over 70% of global infections was apparently successfully uninstalled from all infected systems globally, yesterday.German police, in association with other police agencies, has captured the C2 servers of Emotet botnet and disabled operations. Emotet was infamous for making backdoors through which second-stage payloads such as Qbot and TrickBot, were able to procure ransomware malware such as ProLock, Ryuk, and Conti. This botnet was reported to have been operated by TA542, also known as Mummy Spider.

(TechDator Magazine)

Computer security world in mourning over death of Dan Kaminsky

Celebrated information security researcher Dan Kaminsky, has died. He was 42. Though Kaminsky rose to fame in 2008 for identifying a critical design weakness in the internet’s infrastructure – and worked in secret with software developers to mitigate the issue before it could be easily exploited – he had worked behind the scenes in the infosec world for at least the past two decades. He was heralded for his work in spotting flaws in SSL, and in automating the detection of Conficker malware infections. He had been a stalwart of the security research scene for years, and was a much-loved regular at conferences big and small. He would talk with and advise anyone – even paying the entrance fees for some researchers or letting them crash in his hotel room floor – and it was this generosity that people are overwhelmingly remembering this weekend. 

(The Register and all of us at CISOSeries.com)

India demands removal of critical COVID response content

The New York Times reports that the Indian government ordered roughly 100 posts critical of the country’s COVID-19 response from Twitter, Facebook, and Instagram be removed, claiming the posts were misleading and could incite panic. The platforms complied with the order. Twitter specifically blocked the posts in India but remained available elsewhere, saying that the block was required by local law but that the post did not violate any Twitter policies. Indian law allows for local employees of social media platforms to be jailed for not complying to takedown notices.

(NYT)

The state of ransomware in Q1

According to Coveware’s Quarterly Ransomware Report, Q1 saw the average ransomware payment increase 42% from Q4 2020 to $220,298, with median payments up 59% to $78,398. While considerable increases, these both are still below the peaks in ransom payments seen in Q3 2020. A small number of very high ransoms tied to the CloP ransomware group pulled the average higher. Data extortion ransomware attacks continued to gain in popularity, now accounting for 77% of all ransomware attacks, up 10% on the quarter. Remote desktop compromises were the most common vector, surpassing email phishing and making up just under 50% of all attacks, and most common in organizations over 10,000 employees.

(Coveware)

Thanks to our episode sponsor, Aptible

What do the compliance leaders at Datadog, Pagerduty, Fullstory, Sift, PartnerStack, and many other marque companies have in common? They all understand that the ultimate goal of their work is to build trust with customers. And that’s why they all use Aptible Comply to automate compliance management, and then they use the Rooms functionality to share their security documentation, making building customer trust easy. If you want to build trust like the best you can go to aptible.com/ciso to create your free Room now.

Ransomware gang threatens to expose police informants if ransom is not paid

The Babuk Locker gang claims it has downloaded more than 250 GB of data from the Metropolitan Police Department of the District of Columbia. It is now giving DC Police officials three days to respond to their ransom demand; otherwise, they say they will contact local gangs and expose police informants. The gang posted screenshots on Tor that suggest it had obtained access to investigation reports, officer disciplinary files, documents on local gangs, mugshots, and administrative files. The Babuk Locker gang is one of the most recent ransomware groups today and is behind the attack on the NBA’s Houston Rockets that we reported on yesterday. 

(The Record)

Babuk ransomware operators announce shutdown

In a forum post titled “Hello World 2,” the operators said they intend to close up shop. Often when ransomware groups cease operations, they release their encryption keys. However the Babuk operators plan to make the source code for Babuk file-encrypting malware publicly available after they close down. The message was modified and subsequently taken down on the forum. One version indicated the group’s recent attack on the Metropolitan Police Department was its final goal, indicating their shutdown was forthcoming. Babuk only began operating at the beginning of 2021, but quickly targeted enterprise organizations with sophisticated methods, using ransomware customized for each victim with a hardcoded extension, ransom note, and Tor URL for contact.

(Bleeping Computer)

FBI shares four million email addresses used by Emotet with Have I Been Pwned

Now that Emotet has been removed from victim machines globally, the millions of email addresses collected by the botnet for malware distribution campaigns have been shared by the FBI as part of the agency’s effort to clean infected computers. Individuals and domain owners can now learn if Emotet impacted their accounts by searching the database. Given its sensitive nature, the Emotet data is not publicly searchable. Subscribers to the service that were impacted by the breach have already been alerted, says HIBP creator, Troy Hunt.

(Bleeping Computer)

Now we need to worry about deepfake satellite images

Concerns about deepfakes, or AI-generated images, usually centers around using it to swap faces, with concerns about impersonating other people. But geographers at the University of Washington recently published a paper documenting the ways that deepfakes could be used on geographical satellite images. The paper warns that these are much easier to pass off as credible, both because of the lower resolution images, and because the public generally assumes these images are already credible. An analyst at the National Geospatial-Intelligence Agency also imagined the military implications of faked satellite imagery in a 2019 paper, with fakes maps used to mislead troops. The University of Washington paper hopes to spread awareness of the possibility of deepfake maps, and the relative ease of generating them. (The Verge)

Linux malware used to backdoor systems for years

Security researchers at Qihoo 360’s Network Security Research Lab discovered the  RotaJakiro malware, which first had samples uploaded in 2018, but remained undetected by VirusTotal’s anti-malware engines. Domains for the malware’s C2 servers were registered in December 2015. This was designed to operate as quietly as possible, using multiple forms of encryption on its communications and encrypting its resource information in samples reviewed by researchers. The malware has a different set of protocols whether installed on a root on non-root user, with 12 functions related to data exfiltration. Three functions are tied to the execution of specific plugins, although it’s unclear what these plugins are. 

(Bleeping Computer)

Do we still need manual pen-testing?

A recent survey of IT and security managers by CyCognito looked into whether manual pen-testing remains valuable to organizations as autonomous options grow. The survey found pen-testing is most commonly used to measure a company’s overall security posture and prevent breaches. 60% of respondents were concerned that pen-testing does not comprehensively cover infrastructure and leaves blind spots, while 44% said the cost was prohibitively high to be comprehensive, and 36% said it provides only periodic snapshots of security performance. The survey found organizations still find manual pen-testing is “a valid way to surface some vulnerabilities in specific, scoped portions of an attack surface at a single point in time,” but that cost and increasing surface area to cover requires this to be done in conjunction with automated systems. (Security Week)