Today’s roundup includes how:
- The Emotet virus was crushed by the authorities
- The Netwalker ransomware got sidelined
- The number of WordPress exploits keeps growing
- New malware has been discovered
Backfiring on Emotnet
Cybersecurity experts are shocked and celebrating after hearing that two of the biggest online criminal organizations have been crushed by law enforcement agencies. The police have seized servers that were running the Emotet botnet, an active distributor of hundreds of thousands of malware every day in various countries.
According to a rough estimation, Emotet was behind 30% of all malware attacks worldwide.
This is good news for most companies because in 2020, cybercrimes skyrocketed and law enforcement agencies failed to cope up with high-level attacks. But the unfortunate part of it all is, shutting down Emotet servers is just a hiccup for these hackers and they will be up and running within a few weeks.
There might be some companies that are hit by more than one ransomware attack. For instance, if your company experiences a ransomware attack, then your first line of defense can be using EDR (Endpoint Detection and Response) technology to contain the malware.
Further, you have to create a completely different network that involves bridging between the new and old network system. And during these data transfers, you might miss out on some endpoints.
Companies don’t realize that once you are hit by a mid-level ransomware attack, systems are down or malfunctioning for potentially hundreds of hours. And here comes the worst part: your systems may not likely function the way they should even after the ransomware attack is mitigated.
To sum up the whole problem in a few words: for any ransomware attack on a company, let’s just say it is a nightmare.
After all, some companies might get hit more than once with ransomware. Your first line of defense might be EDR (Endpoint Detection and Response) technology to contain the malware. You may also have to solve other issues, like use an offsite network to bridge the connection, which might cause issues with some endpoints not being covered (after all, there are usually LOTS of computers on most of these networks).
Additionally, sometimes EDR technology may not trace ransomware attacks and companies have to focus more on the general network to source the ransomware. This is where packet sniffers can help companies to see which information is leaving the system and track any beaconing that is happening.
The bottom line is that cybercrime is a big headache for companies.
Roughing up the Netwalker Gang
Netwalker was one of the high-profile gangs that encrypted computers of their victims, stole their data, and threatened to release it unless the victim paid for the decryption key. One of their latest email scams targeted executives and obtained their login credentials via Microsoft Office 365.
The United States and Bulgarian authorities have shut down websites behind the Netwalker ransomware. The police have recently charged a Canadian who was previously involved with Netwalker and has allegedly received $27 million over time out of ransomware attacks.
Both Netwalker ransomware extortion sites now defaulting to the seizure image again… pic.twitter.com/R7cr2uqHia
— Allan “Ransomware Sommelier🍷” Liska (@uuallan) January 27, 2021
You should be aware of messages that say: Your password is about to expire. If you wish to keep using the one that you have, then you can choose “Keep password.” This is a very common scam to trick users into clicking a malicious link.
Remember the hack on the SolarWinds network management platform?
That one single cyberattack shook the feet of many top-rated organizations and US government systems because they were actually using infected software without a single damn clue.
According to Kaspersky, the Netwalker ransomware has infected more industries, and there are more victims than we initially know about. Out of all the companies and governments that dealt with Netwalker malware, 32% of industries include manufacturing firms, utilities, transportation, energy, and construction firms. The ransomware targeted many industries especially in countries including Canada and the United States.
But companies continue to be hacked and attacked by ransomware attacks because they have no clue about access control. In some cases, in fact, a hacker used login credentials of a dead employee to gain access to administration control. Even more incredulously, hackers have previously created a fictional employee account to befriend employees and get access to company data.
To combat this growing problem, a company’s IT team must:
- Delete an account of an employee who leaves
- Change the username and password when someone shifts their position
- Create new accounts only for real employees (duh)
This is an important step to secure your company’s data and employee credentials because one of the easiest targets for hackers is to get hold of the user’s credentials.
This is the reason why user awareness training is vital for SMEs and enterprises. Most employees are not trained to deal with credential stuffing attacks and are most likely to click on email spam. You might click on a link that contains a COVID-19 heat map or breaking news, because it’s human nature to react quickly to this kind of hot stuff.
Moving on, companies must fix their network management issues and update their security patches if there are any. When it comes to the Netwalker gang, they specifically used stolen data extortion as a way to gang up on their victims and push them to pay a ransom.
Cybercriminals are considered as the new-age digital kidnappers and they leverage the most important thing: Data.
WordPress is Under the Wrong Spotlight
WordPress is one of the biggest content management systems worldwide that host ecommerce stores, popular websites, and news organizations. It is also a prime target for cybercriminals.
There were a few common ways WordPress was attacked last year, which includes brute force guessing attacks, dictionary attacks, and login attacks. The best way to avoid such WordPress attacks is to use multi-factor authentication and encourage users to do the same. Cybercriminals can easily take advantage of these vulnerabilities if users fail to follow basic security protocols.
On top of that, WordPress plugins open doors for threat actors to spread malware and infect every website that uses that particular plugin. Cybercriminals used pirated plugins many times to fool websites and companies.
There is a WordPress plugin that can potentially delete all of your data. Imagine how nasty it can be for some businesses. Always ensure that you are using a plugin from a reputable site.
There is a reason why cybercriminals exploit WordPress plugins. They want to infect and cripple several company servers so they can combine their calculating power and mine for cryptocurrency. A group called Rocke has been targeting cloud-based operations for two years. IT departments have been tracking and checking their networks for this malware ever since.
But cybercriminals have updated their malware over time and made it difficult for others to detect it. The simplest way to detect a malware attack is to check for server speed; if it slows down, then something shady is going on.
A New Malware is on the Loose
A threat actor, who is believed to be from the Middle East, is using new malware to penetrate network servers and top-rated organizations. This type of malware can give cybercriminals remote access and has been seen on more than 250 web servers.
Most of the victim companies affected by this malware belong to the United States, Egypt, United Kingdom, Lebanon, the Palestinian National Authority, and Israel. IT departments from these impacted organizations are told to update their security patches.
Further, a security researcher last week discovered malware to bypass firewalls and network address translation defenses. After knowing about this recent development, Google Chrome and other browsers were partially patched with a security update. However, the updated malware forced chrome and other top browsers to release another patch.
Make sure your browser is updated. There is a heads up for Apple and iOS device users because there have been three major fixes in a recent security update. So, if you are using an iPhone, iPad, or Apple TV, make sure you update the software to the latest version or chances are a cybercrook can compromise your devices.
All you have to do is go to the settings option on your device to see the latest updates. Then you should make sure you apply them at once to keep yourself safe from cybercriminals. You may not be their biggest target, but it doesn’t mean you’re safe.
After all, botnets involve end users like you and me all the time, which means we can go on to attack larger conglomerates easily without even knowing.
Sameed Ajax
November 24, 2022
1 year ago
