Cyber Security Headlines: Emotet returns, Google helps with Cobalt Strike, Ticketmaster blames bots for Swift snafu – CISO Series

The pernicious botnet returned on the scene in early November. Researchers last spotted it in action back in July. Researchers at Proofpoint report it’s being used as part of a massive malspam campaign, designed to deliver IcedID and Bumblebee malware payloads. Current volume from Emotet sits at hundreds of thousands of emails per day. Targets include the US, UK, Japan, Germany, Italy, France, Spain, Mexico, and Brazil. One sign that Emotet hasn’t kept up with the times, it’s attempting to lure users to click on maliciously Office documents, despite Microsoft disabling Office macros by default. To get around it, emails try to get victims to copy the file to a Microsoft Office Template location, where it would be trusted.
(Hacker News)
The Google Cloud Threat Intelligence team published open-source YARA rules to help detect components of Cobalt Strike attacks on a network. It also released Colbalt Strike specific indicators of compromise on VirusTotal. One of the keys to targeting Cobalt Strike attacks from non-malicious use involved determining the version number being deployed. Non-current releases may indicate a leaked or cracked version commonly used by attackers. Google also released detection signatures for the open-source adversary emulation framework Sliver. Increasingly malicious actors turn to Sliver as a Cobalt Strike alternative, although both remain legitimate tools for security researchers. 
(Bleeping Computer)
The ticketing behemoth apologized to Taylor Swift and her fans for “a terrible experience trying to purchase tickets” for the artist’s upcoming tour. It blamed a “staggering number of bot attacks” for issues in the ticket ordering process, saying it received 3.5 billion total system requests. Ticketmaster required fans to register in advance to buy tickets, with over 3.5 million Swifties registering to go into a “waiting room” to buy tickets. Jason Kent of the security firm Cequence said this could actually exacerbate the issue of bots, because if bots register for the waiting room, they can purchase tickets  much faster than humans if they get through. Kent said the only way to really deal with bots is to identify them as they hit the site and throw the traffic away. 
(The Record)
This finding comes from research by MIT Cybersecurity at MIT Sloan, looking at the effectiveness of cyber risk oversight principles developed by the Word Economic Forum and the Internet Security Alliance. Research included interviews with CISOs working at Fortune 500 organizations, as well as simulations to understand organizational behavior. The researchers predicted that CEOs following these principles would see 85% fewer incidents and foster proactive resilience to cyber threats throughout their organization. Previous research by PricewaterhouseCoopers also validated the effectiveness of the principles.  
(Dark Reading)
The U.K.’s Competition and Markets Authority began an investigation into Broadcom’s proposed $61 billion acquisition of VMware, opening up a two-week consultation period to hear from “interested parties.” From there it may opt for an in-depth investigation. The deal isn’t just receiving scrutiny in the UK. Last week the European Commission also announced an investigation into the deal and the US Federal Trade Commission began a deeper second review phase of it last month. Broadcom hopes the acquisition of the virtualization and network security giant will help further broaden its revenue base within the enterprise. 
A new report from Avast sheds light on the Chrome extensions “VenomSoftX,” which installs on targeted WIndows machines through the ViperSoftX malware spread by malicious torrent files. This isn’t a new extension, first seen by Cerberus and Fortinet researchers in 2020. But since the start of the year, Avast detected over 93,000 ViperSoftFX infections, largely centering around the US, Italy, Brazil, and India. The extension ultimately attempts to copy clipboard contents for keys to crypto wallets. Looking at hardcoded wallets in the malware, researchers estimate its earned operators roughly $130,000 in crypto. In Chrome the app appears as a Google productivity app, labeled as “Google Sheets 2.1.”
(Bleeping Computer)
The social networking giant revealed it completed an upgrade to its timing protocol used in its data centers. Meta previously used NTP, which allowed it to sync its server clocks to within a few milliseconds. It now switched over to using the Precision Time Protocol, or PTP, which allows it to sync clocks within nanoseconds. The telecommunications sector and large hyperscale data center operators commonly use PTP. But incurs hardware demands making it impractical for most organizations. Meta says using PTP will enhance user experiences in collaborative applications and video games. 
(Silicon Angle)
The seminal/cringeworthy 1995 film Hackers posited that the most common passwords were “god,” “sex,” “love,” and “secret.” Well according to new findings from Nord Pass, we haven’t gotten much better at them in the intervening 27 years. Globally the top-five most commonly used passwords it observed were the classic “password,” followed by 123456, 123456789, guest, and qwerty. Compared to 2021, 12345 fell out of the top-5, so we’re at least making some progress. Most passwords in the top 200 most commonly used take less than 1 second to brute force. There were some exceptions, like #145 “googledummy” taking up to 23 minutes to crack. 
Acting as a media network for cyber information and exchange, CISO Series is just a member of this fantastic community that unfortunately has some conflicts. We’re just putting ourselves at the center of the conversation, acting as couples counseling for security vendors and practitioners.

CISO Series: Delivering the most fun you’ll have in cybersecurity.
Contact us: [email protected]
© 2021 CISO Series



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top