Emotet is Back and Possibly Poised to Fuel Major Ransomware Operations

DHS plan aims to boost CISA's cybersecurity workforce, Moses Staff's motivations are purely political, Newly discovered flaws could crash Zoom, Ransomware hits Turkey's top food delivery site, more

Despite an international operation that took over the notorious cybercrime Emotet infrastructure in January, and following a German law enforcement action that erased Emotet malware from infected devices in April, researchers from Cryptolaemus, GData, and Advanced Intel have begun to see the TrickBot malware dropping a loader for Emotet on infected devices.

The researchers say that the threat actors behind this revival are now using a method dubbed "Operation Reacharound" to rebuild the Emotet botnet using TrickBot's existing infrastructure. Although Emotet used spam campaigns in the past, there are no signs of spamming activity now, nor are any malicious documents dropping the malware. These changes are likely due to Emotet infrastructure being rebuilt from scratch and new reply-chain emails being stolen from victims in future spam campaigns.

"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem," Advanced Intel's Vitali Kremez said. The new Emotet infrastructure is growing fast, with over 246 infected devices already acting as command and control servers. Malware tracking non-profit organization Abuse.ch released a list of command and control servers utilized by the new Emotet botnet and strongly suggests network admins block the associated IP addresses. (Lawrence Abrams / Bleeping Computer)

Related: The Record, Security Affairs, Bleeping Computer, Cyberwtf, Cofense

Twitter avatar for @VK_IntelVitali Kremez @VK_Intel
2021-11-14: 🔥The "#Emotet partner ($) loader" program appears resorcing from existing #TrickBot infections. 📌TrickBot launched what appears to be the newer Emotet loader. 👇
cyber.wtf/2021/11/15/gue…

Vitali Kremez @VK_Intel

Introducing #Emotet C&C Loader Backend View in... SB Admin Favicons 😉 1⃣Partners ($) 3⃣Loader Tasks (plugins, updates) 3⃣IMAP/POP This template design is quite unsophisticated for one of the largest botnet in existence h/t @PolitieTHTC https://t.co/htiAlbTnp3

The Department of Homeland Security unveiled the Cyber Talent Management System designed to help the Cybersecurity and Infrastructure Agency fill vacancies.

The new system is intended to cut through the bureaucratic red tape of the federal hiring process by shifting focus away from traditional benchmarks, such as longevity, and toward new aspects like technical skills. A newly adopted interim rule will allow DHS to hire cybersecurity professionals at salaries of up to $255,800, the same amount Vice President Kamala Harris gets paid, and, in certain circumstances, as much as $332,100 as part of a bid to compete with the more lucrative private sector. (Martin Matishak / The Record)

Related: NextGov, The Hill, DHS News Releases, The Hill, DHS News Releases, CBS News, FedScoop, Bloomberg Law, DHS, Federal Register

The new hacking group known as Moses Staff has openly attacked Israeli organizations, breached their networks, and encrypted their data but refused to negotiate ransom payments. Check Point researchers say the group’s failure to act like traditional ransomware actors stems from the political motivations behind the attacks.

Moses Staff openly admits to targeting the Israeli Zionist regime in support of the occupied Palestine territories. Consequently, they often encrypt and then leak a victim’s data without even attempting to engage in a ransom negotiation process. (Catalin Cimpanu / The Record)

Related: Check Point Research, Bleeping Computer, The Hacker News

Russian infosec company Positive Technologies, which the U.S. government has sanctioned, discovered three vulnerabilities in Zoom that malicious actors could exploit to crash or hijack on-prem instances of the videoconferencing system.

One of the three bugs, tracked as CVE-2021-34414, which was patched in September, is an input validation flaw, can be abused by a malicious Zoom portal administrator to inject and execute arbitrary commands on the machine hosting the software. Two related holes, CVE-2021-34415 and CVE-2021-34416, could be exploited to crash Zoom. (Gareth Corfield / The Register)

Related: Security Week, HackRead, Habr, Positive Technologies, TechRadar, Help Net Security

Turkey’s largest online food ordering website and application, Yemeksepeti, said that some “ill-minded” people contacted the company and threatened to release unaccredited data associated with the platform, demanding ransom in exchange.

The company denied claims that its database was breached by hackers demanding ransom. The hackers, however, reiterated their claim and accused Yemeksepeti of lying because, they contend, the company does not know how the breach took place. The hackers threaten to release employees’ addresses and phone numbers within a week if their demands are not met. (Daily Sabah)

Related: Haberler, Onedio, Bianet

Get 50% off for 1 year

Research by COMSEC, the security group of the Department of Information Technology and Electrical Engineering (D-ITET) at ETH Zürich, presented a new Rowhammer technique that allows unprivileged attackers to change or corrupt data stored in vulnerable memory chips on virtually all DDR4 modules.

Unlike previous versions of Rowhammer, which have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided, this version uses non-uniform patterns that access two or more aggressor rows with different frequencies. The new technique can bypass all mitigations that deployed inside DRAM. (Dan Goodin / Ars Technica)

Related: Candid.Technology, Comsec, Bleeping Computer

China Telecom’s U.S. subsidiary asked a U.S. appeals court to block the Federal Communications Commission (FCC) decision to revoke the telecommunication company's authorization to operate in the United States.

On October 26, the FCC ordered China Telecom to discontinue U.S. services by early January after citing national security concerns. China Telecom is arguing the FCC should have first held an administrative hearing. The company also noted the agency considered action for 18 months and claimed the FCC had offered no evidence "of any imminent threat." (David Shepardson / Reuters)

Related: ZDNet Security, Infosecurity Magazine, The Register

Annapolis-based network security company Netography raised $45 million in a Series A venture funding round.

San Francisco-based Bessemer Venture Partners and cybersecurity-focused SYN Ventures led the round with participation from Andreessen Horowitz, Mango Capital, Harpoon Ventures, and Wing Venture Capital. (Stephen Babcock / Technical.ly)

Related: Business Wire Technology: Security News, Security Week

London and Amsterdam-based cybersecurity startup Hadrian closed a €2.5 million (around $2.8 million pre-seed round to help it build an autonomous offensive security solution.

San Francisco-based Village Global and Amsterdam-based Slimmer AI led the round. (Patricia Allen / EU Startups)

Related: Silicon Canals

Photo by Muhannad Ajjan on Unsplash