Emotet Uninstalls Itself 🤖, Global Ransomware Task Force 🏢, ATT Arrives 📱

CyberLite May 2, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

Announcement: This week's issue is out early! I'm away for the next week so wanted to make sure it was successfully delivered before I head off. Next week's issue will be a little different as I'm off the grid and won't able to keep up with the news, but I hope you still enjoy it all the same!

📰 News

Catching you up on everything important that happened this week…

🤖 Emotet Uninstalls Itself

Emotet was previously the largest botnet, with an average of 100,000 to half a million emails being sent per day to infect new systems. Three months ago Europol took control of the botnet, seizing control of hundreds of servers used to run Emotet. Then Europol distributed a new version of Emotet that would uninstall itself in a few months time. That day has finally come.

On Sunday 25th cybersecurity firm Malwarebytes confirmed that their test Emotet machine had successfully started uninstalling the malware. Now all we have to do is wait for the headlines in a few months about "Emotet's Resurgence". Link.

📉 Darkside Ransomware Gang Tries to Short Victims

The Darkside ransomware gang has been trying out a new tactic to extort its victims and profit from attacks. They're offering crooked traders the opportunity to be notified about companies that Darkside is going to attack, then they can profit from any reduction in stock price the company suffers. This would be done by shorting the company's stock, which put simply, means betting that a stock's price will go down.

In most cases shorting a stock just before a cyberattack is going to look incredibly suspicious to the authorities, and often ransomware attacks don't affect a company's stock price enough for a big profit to be made by shorting the stock. So it would be surprising if many people took Darkside up on their offer here given the high risk and low reward, but they won't be the last ransomware gang to try. Link.

🏢 Global Ransomware Task Force Established

A task force made up of 60 organisations has been set up to tackle the ever-increasing threat of ransomware. The task force includes the US Department of Justice, Europol, Amazon, Microsoft and many other large organisations and governments. The task force delivered an 81-page document to the Biden administration this week with lots of ambitious suggestions like seizing ransomware gangs' infrastructure and cryptocurrency wallets. They also want to force cryptocurrency exchanges to implement anti-money laundering measures to make it harder for gangs to collect ransoms. Let's see if any of this can be pulled off and, if it can, will it have an impact? Link.

💡 UK Law Drafts Smart Home Security Laws

The UK has started plans to pass a law setting security standards for smart home devices. Most notably the law would ban default passwords - where devices come with a pre-determined password that attackers can easily find in an online database. This is the legislation we need from governments to start moving IoT security out of the dark ages. Link.

📞 Cellebrite no Longer Fully Functional on iPhones

Last week the founder of encrypted message service Signal Moxie Marlinspike did a teardown of a Cellebrite Physical Analyzer. A device used by law enforcement to break into locked iPhones and extract data. Moxie managed to find lots of vulnerabilities and the next update of Signal will contain a file that corrupts any Cellebrite Physical Analyser that's plugged into a phone with Signal installed.

Cellebrite weren't too pleased with the news and haven't been able to find a way of protecting themselves from Moxie's attack. As a result, they've told users that the Physical Analyser can no longer be used on iPhones when it's using the most obtrusive extraction method. Link.

📱 iOS 14.5 and ATT Have Arrived

The latest iOS update has finally hit and it's a big one for privacy discussions and the ad industry. This update includes the "app tracking transparency" feature which requires apps like Facebook to ask you if you'll allow them to view your activity on other apps. The purpose of this tracking has previously been to deliver better targeted ads and Facebook's spent the last few months arguing that this means that small businesses who rely on Facebook adverts will suffer under this new scheme. There's certainly a thread of truth to that but the impact on small businesses certainly won't be anywhere near as big as Facebook has insinuated.

On the other side of the argument, Apple's been going on about how they care about your privacy more than all these big bad social media companies (not running their own social media platform does make that an easy opinion to hold). The more Apple lockdown iPhones, the more ads they can run about their privacy stance and the more iPhones they sell. Tim Cook's hardly doing this out of the kindness of his heart; it's a business move as much as an ideological one.

This change is an interesting one and it's definitely split the tech community given all the commercial incentives for the companies involved. Privacy isn't a straight forward issue where "more privacy" is always good, but we've certainly gone too far away from online privacy in recent times. We've got lots more discussions like this to come in the future. Link. Fun Tweet.

📷 QR Codes Tampered at Vaccination Sites

Last week I shared an article discussing how easy it would be to replace QR codes and make them lead to malicious websites. Apparently an Australian anti-vaxxer read that article and replaced all of the QR codes at a vaccination site with ones that pointed to a website hosting anti-vaccination "facts". Link.

🐦 Indian Government Removes Critical Social Media Posts

India's in the midst of an increasingly deadly second wave of Covid-19 and their government's been taking a lot of fire for how it's handled the pandemic in recent months. They demanded the removal of around 100 social media posts that were critical of their Covid response making the claim that they would incite panic. In India, if local social media employees don't comply with takedown notices like this they can be jailed. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

💾 Nvidia disclosed a number of vulnerabilities in its GPU drivers. The most severe of which received a 7.5 CVSS score and would allow an attacker to replace an application's files with malicious code. Attacks would already need access to a victim's system to exploit the vulnerability. Link.

📦 The maintainers of PHP's package manager, Composer, have fixed a vulnerability that could've allowed attackers to swap out a package for a malicious one. It would've been hard to pull off as it required editing a folder that only package owners have access to. However, it's worth keeping an eye on any package manager vulnerabilities; Composer is one of the smaller ones and over 100 million packages are still downloaded monthly from there. Link.

🏠 Researchers at Microsoft discovered 25 critical memory vulnerabilities in IoT devices that would allow threat actors to execute malicious code inside an organisation's network. Many IoT devices have used the same implementation of memory allocation over the years and Microsoft discovered the same or very similar flaws across devices. Link.

🔎 Google has fixed a vulnerability in Chrome's V8 Javascript engine (a program that executes Javascript code) that could've allowed malicious code to be executed. Full details are yet to be released. Link.

💻 Apple fixed an actively exploited zero-day vulnerability in MacOS this week. The vulnerability allowed an application to bypass Apple's normal security checks. MacOS has a feature called Gatekeeper which makes sure that only apps that are "trusted" are able to run, meaning that they've been made by a registered developer and have been scanned for malicious code. A researcher was able to craft an application that ran without going through any of the Gatekeeper checks. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

🧠 Bruce Schneider on what a world with AI hackers looks like. Link.

🧪 200 scientists were asked what term or concept ought to be more widely known. Link.

🧑 Top 21 cybersecurity experts you should follow on Twitter in 2021. Link.

🆘 99 bits of unsolicited advice from Kevin Kelly. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.