Morphisec Cybersecurity Blog

Security News in Review: Emotet Botnet Taken Down; Trickbot Makes a Return

Written by Matthew Delman | February 3, 2021 at 3:00 PM

Every week, the Morphisec team works hard to bring you the top stories from around the security media-sphere to make your job and securing your critical infrastructure easier.

In today’s weekly edition of Security News in Review, you’ll find news stories about a takedown of the Emotet botnet, the return of Trickbot, and an announcement that the FonixCrypter gang has decided to take down their own ransomware. 

Now on to the news: 

A Fifth of Sunburst Backdoor Victims from Manufacturing Industry -- Analysis of the SUNBURST backdoor that affected SolarWinds customers showed that a third of the impacted companies were industrial organizations, with fully 18% coming from the manufacturing sector. The industrial organizations were located around the world, including Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, Uganda, and the United States.

The world's most dangerous malware botnet was just disrupted by a major police operation -- Europol, the FBI, the UK's National Crime Agency and others coordinated action that took control of the infrastructure supporting the Emotet botnet last week. The operation was two years in the making, and results in authorities having command over what has quickly become one of the most potent forms of malware in cybercriminals’ arsenal. Machines currently infected with Emotet, as of last week, redirect to infrastructure controlled by law enforcement. 

Trickbot is back again - with fresh phishing and malware attacks -- The disruption of the Trickbot botnet was something of a pyrrhic victory. Although Microsoft and a coalition of other cybersecurity and technology companies disrupted the Trickbot network in October 2020, researchers have identified a new Trickbot campaign focusing on legal and insurance companies in North America. That the botnet made a resurgence should come as little surprise; the infrastructures cybercriminals use are decentralized for the most part, and thus disruptions are not often long-lasting. 

Ransomware Hits OT Systems at Packaging Giant -- WestRock, the second-largest packaging company in the United States, announced last week that their network and production were disrupted by a ransomware attack. The incident affected both their information technology and their operational technology, in a prime example of the risk facing manufacturing companies to not only their IT but also their OT systems. OT is increasingly becoming a target for threat actors, especially as OT and IT systems become more tightly coupled in the organization. 

North Korea Targets Security Researchers in Elaborate 0-Day Campaign -- Hackers linked to the North Korean government have been targeting malware researchers with a giant social engineering campaign that sets up a trusted relationship with the researcher and then infecting their machines with a malicious backdoor. Threat actors target vulnerability researchers by suggesting a collaboration on security research, and then they share an infected Visual Studio Project. 

Targeted Phishing Attacks Strike High-Ranking Company Executives -- A phishing campaign active since May 2020 has targeted senior-level executives at several companies. The attackers target the high-level execs who might be less cybersecurity savvy and thus are more likely to be deceived by links. By targeting senior executives, the attackers also increase the likelihood that they will access privileged information. 

FonixCrypter ransomware gang releases master decryption key -- The threat actors behind the FonixCrypter ransomware announced on Twitter recently that they were shutting down the ransomware. They said that they’d deleted the ransomware’s source code and released a master decryption key, as well as a decryption tool and instructions, for targets affected with FonixCrypter to decrypt impacted files. The decrypter works, but users would have to put in individual files. A better decryptor tool is in the works. 

Netwalker ransomware website seized by law enforcement: 5 details -- Law enforcement officials seized the ransomware leak site operated by the Netwalker gang on January 27. The ransomware has been responsible for a number of attacks on healthcare organizations, including the University of California San Francisco. This does not take down the ransomware itself; only the leak site where cybercriminals published stolen data.