Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

US Airports Hit by Russian-Speaking Hackers

The public websites of over a dozen US airports have been subjected to a DDoS attack, most likely by a Russian hacktivist group known as "Killnet", who last week claimed responsibility for a similar attack on US state government sites.

While the websites of ATL (Atlanta Hartsfield-Jackson), LAX (Los Angeles International) and other airports were inaccessible for some time, there was no disruption to flights or other airport operations, and the only impact was probably to people seeking flight arrival and departure gates, times and similar information.

Wallace, Greg, et. al., Russian-speaking hckers knock multiple US airport websites offline. No impact on operations reported, CNN, 10 October 2022. Available online at https://edition.cnn.com/2022/10/10/us/airport-websites-russia-hackers.

Emotet Emerges Once More

The Emotet malware, and its C2 network, have been around since 2014, when the malware first appeared in the form of a banking trojan controlled by a threat group called Mummy Spider. Over the years, it evolved into a sophisticated family of trojan droppers and payloads which were offered in the form of Malware-as-a-Service, with the Emotet operators specializing in the initial infection of the victims, and then on-selling them to their partners for exploitation.

However, in January of 2021, the C2 network was sinkholed in an international operation by Europol, Ukraine arrested two individuals who were behind it, and in a move that saw the end of Emotet, its C2 infrastructure was used to push an updated which uninstalled it. Other malware distributors moved into the resultant gap in the market.

But now, with the assistance of the former Conti ransomware gang and the TrickBot botnet, Emotet has been bootstrapped back into existence as a continually evolving modular exploitation toolkit. The latest incarnations go to great lengths to obfuscate the information of their C2 infrastructure - presumably to avoid being sinkholed again.

VMware Threat Analysis Unit has now released a 68-page report which details the latest 'waves' of Emotet, complete with IoC's, timelines and details of the Emotet configurations.

Bagci, Ethem, Emotet Exposed: A Look Inside the Cybercriminal Supply Chain, technical report, 10 October 2022. Available online at https://blogs.vmware.com/security/2022/10/emotet-exposed-a-look-inside-the-cybercriminal-supply-chain.html.

It's Not What You Know - It's Who You Know

In Germany, the Interior Minister, Nancy Faeser, is reported to want to dismiss the president of the Bundesamt fur Sicherheit in der Informationstechnik (BSI), the Federal information security agency. Arne Schoenbohm is suspected to have had contact with people involved with Russian security services, according to media reports.

The Cyber Security Council of Germany, of which Schoenbohm was a founder, counts as a member a German company that is a subsidiary of a Russian cybersecurity firm founded by a former KGB employee, according to the reports.

Neither Schoenbohm. the interior ministry nor the BSI has replied to requests for comment.

Mitwollen, Birgit, et. al., Germany's cybersecurity chief faces dismissal, reports say, Reuters, 10 October 2022. Available online at https://www.reuters.com/world/europe/germanys-cybersecurity-chief-faces-dismissal-reports-2022-10-09/.

Hackers Start Their Day With Caffeine

Phishing has long been by far the most effective way of obtaining login credentials or delivering malmails, both techniques for initial exploitation after which an attacker can move on to install more sophisticated tools. In a new report, Mandiant researchers have detailed the operation of a new Phishing-as-a-Service (PhaaS) platform called Caffeine, which allows attackers to automate all the boring work and focus on the more interesting and productive parts of their task.

Caffeine is a polished suite of easy-to-use tools which allow anybody to craft customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URL's for host malware payloads and even track campaign email activity. Not only is it user-friendly, it is inexpensive and also has a completely open registration process rather than being hidden in the dark web or behind encrypted messaging channels. It is also designed to have wide appeal, featuring email templates for deployment against Russian and Chinese victims.

The Mandiant report provides a comprehensive analysis of Caffeine, along with IOC's and YARA rules for detection of some of its components.

McCabe, Adrian and Steve Sedotto, The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform, Mandiant blog, 10 October 2022. Available online at https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.