Lawrence Abrams reports: In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent. […] Today, Emotet research group Cryptolaemus warned that Emotet is now skipping their primary malware payload of TrickBot or Qbot and directly installing Cobalt Strike beacons on infected…
Category: Commentaries and Analyses
Microsoft seizes control of websites used by China-backed hackers
Carly Page reports: Microsoft has seized control of a number of websites that were being used by a Chinese government-backed hacking group to target organizations in 29 countries, including the U.S. Microsoft’s Digital Crimes Unit (DCI) said on Monday that a federal court in Virginia had granted an order allowing the company to take control of the websites…
Cloud Service Provider Compromises Use CeeLoader Malware
Lindsey O’Donnell-Welch reports: A series of campaigns, with links to the threat actor behind the SolarWinds supply-chain intrusion, have been targeting cloud service providers with a new malware loader variant called CeeLoader. Researchers with Mandiant in a Monday analysis said they identified two distinct clusters of activity, UNC3004 and UNC2652, which they associate with UNC2452 (also known…
U.S. Military Has Acted Against Ransomware Groups, General Acknowledges
Julian E. Barnes reports: The U.S. military has taken actions against ransomware groups as part of its surge against organizations launching attacks against American companies, the nation’s top cyberwarrior said on Saturday, the first public acknowledgment of offensive measures against such organizations. […] General Nakasone would not describe the actions taken by his commands, nor…
TSA issues security rules for rail operators
Lindsey O’Donnell-Welch reports: New cybersecurity requirements from the Transportation Security Administration (TSA) give freight railroads, passenger rail and rail transit operators a 24-hour deadline for reporting security incidents. Starting on Dec. 31, “high-risk” operators and owners across the rail sector must take a number of steps to bolster the cybersecurity of their systems. They must…
Who Is the Network Access Broker ‘Babam’?
Brian Krebs reports: Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network. In this post we’ll look at…