Welcome to Cyber Security Today. It’s Wednesday, December 8th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Some good news to tell you about:
Microsoft has disrupted the activities of a China-based hacking group. This comes after a U.S. court has allowed Microsoft to seize websites of the gang it calls Nickel. The sites were being used to attack organizations in 29 countries, including government agencies, think tanks and human rights organizations. This gang has been operating since 2016, sometimes by compromising a target organization’s VPN, stealing employee passwords by spear phishing or taking advantage of unpatched Microsoft Exchange and SharePoint servers.
Google said it has temporarily disrupted the command and control infrastructure behind a botnet of 1 million compromised Windows devices. It calls the botnet Glupteba. It’s been stealing victims’ passwords, hiding cryptocurrency miners on their computers and running other people’s internet traffic through their computers and routers. What makes this sophisticated botnet different from others is it defends itself with a blockchain-based system that retrieves backup domains through three bitcoin wallets. So Google is trying a long-shot: It’s suing two persons believed to be in Russia for operating the botnet in violation of U.S. law.
Sophisticated Russian-based threat actors allegedly associated with the Nobelium threat group, which was behind the SolarWinds Orion update compromise, have been spotted by researchers at Mandiant. In a report issued this week the company said it is seeing attacks against service providers to get into other organizations. In at least once instance a compromised VPN account was leveraged to get deeper into a company’s IT systems. In another case the attacker accessed the organization’s Microsoft 365 environment using a stolen digital session token. In some cases victims were hit after going to websites offering free or cracked software. Some victims who use smartphone-based multifactor authentication to protect their accounts were fooled by an attack that launched repeated MFA requests. The user who caved in and accepted the authentication was hacked. IT departments need to tighten security, particularly those using Microsoft’s Active Directory Federation Services, Azure AD. and Microsoft 365.
Finally, a few weeks ago I reported that the Emotet botnet appeared to have returned. This week the BleepingComptuer news service says the Emotet malware has recently been seen directly installing Cobalt Strike beacons on victims’ computers as soon as they are hacked. That means threat actors using Emotet can make data theft and ransomware attacks faster after infection. Until now Emotet would install trojans on infected devices which would eventually lead to the downloading of Cobalt Strike beacons. One research firm said it isn’t clear if the deployment of Cobalt Strike by Emotet is a test or is already being widely used. Regardless IT teams have to double their efforts looking for and removing Cobalt Strike from their systems.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.