News You Might’ve Missed. 25 – 28 Jan

What's new this week in the news for MSPs? Google launches cloud-based zero-trust security for enterprises; Europol announces Emotet malware will uninstall on April 25th; SolarWinds hackers linked to Mimecast security breach; US DoJ announces global action against NetWalker; and SonicWall hacking used its zero-days product, it says.
Let's see what it's all about.

Google Launches Cloud-Based Zero-Trust Security for Enterprises

The BeyondCorp Enterprise framework is now available to businesses, according to Google this week. It's excellent news for those that want the advantage of the zero-trust security model.
The security framework uses the mechanism of shifting access controls from the perimeter to specific devices and users. It lets employees work securely without the need for a VPN.

Google Cloud Security's Vice President and General Manager, Sunil Potti, says in a blog that security teams' most significant challenge is to "enable disruptive innovation in security without disrupting security operations".

According to Google, BeyondCorp Enterprise both extends and replaces BeyondCorp Remote Access, which they launched last year.

Europol Announces Emotet Malware Will Uninstall on April 25th

Law enforcers have begun distributing an Emotet module that will uninstall the malware on April 25th this year.

According to Europol's announcement this week, the disruption of the infamous Emotet email spamming botnet is underway. The Emotet botnet is known for the malicious Word spam attachments that deploy malware such as Qbot and TrickBot. These would usually lead the way to a full network compromise for infected firms. Conti and Ryuk by TrickBot and Egregor or ProLock by Qbot would then be deployed.

After the announcement this week, Milkream, a security researcher, found that Emotet had begun to push down a new module to infected devices. The new module sets tm.tm_mon, which corresponds to the month of the year, to 3. Initially, researchers thought that this was equivalent to the month of March, since 1 was assumed to indicate January.

However, it was later noted that the Microsoft documentation on the time structure states that 0 corresponds to January. So it is now clear that a value of 3 indicates April, not March, making the uninstall day April 25th, 2021, at noon.
The Department of Justice's press release on January 28th also states that the C2 servers were replaced by foreign law enforcement with their own servers to distribute a "law enforcement file".
Now that law enforcement is taking control by distributing a module that will uninstall it, it seems the future for Emotet is bleak. Most experts say it is unlikely to return.

SolarWinds Hackers Linked to Mimecast Security Breach

As reported earlier in January, the Mimecast certificate compromise is one of the increasing list of elements involved in the SolarWinds supply-chain attack, and this was confirmed this week. In the burgeoning huddle with Mimecast are other cybersecurity firms such as Fidelis, FireEye, CrowdStrike, Malwarebytes, Palo Alto Networks, and Qualys.

As announced in January, a Mimecast-issued certificate used in authenticating some of their products to Microsoft 365 Exchange Web Services was compromised. This gave the hackers access to customers' cloud services and on-premises data. It also raised suspicions that their breach was linked to SolarWinds, and they confirmed it this week.

Several US government agencies were affected by the espionage attack on SolarWinds. It all began with a malicious software update that deployed the Sunburst backdoor to approximately 18,000 firms last spring. Following this, the threat actors then selected specific victims for a more targeted attack.

According to federal officials on January 5th, the SolarWinds hack was carried out by a Russian Advanced Persistent Threat group in order to gather intelligence.

Mimecast is advising their customers in the UK and US to reset their credentials as a precautionary measure. They have declined to disclose details on the number of accounts accessed and haven't revealed whether the hackers took advantage of the access they had to their customers' on-premises and cloud services.

According to an anonymous network administrator, the biggest concern is that the breach will significantly impact customers who use Mimecast as a backup to Office 365. It is hoped that Mimecast will release more information to customers soon.

US DoJ Announces Global Action Against NetWalker

According to the US DoJ, a coordinated law enforcement operation to disrupt NetWalker is underway. Among the many victims have been companies, municipalities, law enforcement, hospitals, emergency services, school districts, colleges, and universities. The healthcare sector was a specific target during the COVID-19 pandemic.

NetWalker operates using the ransomware-as-a-service model and will generally gain access to the system days or weeks ahead of a ransom note being delivered to the victim. All the while, the threat actors behind NetWalker are escalating privileges and spreading throughout the network across devices.

To date, officials have charged a Canadian national, Sebastien Vachon-Desjardins, in connection with the attacks. They have also recovered $454,530 in cryptocurrency from ransom payments.
The Dark Web resource used by the attackers to interact with their victims is now disabled. NetWalker affiliates used this resource to send payment instructions and communicate with victims before it was seized in Bulgaria.

Anyone trying to access the site sees a banner stating that it has been seized by federal law enforcement.

SonicWall Hackers Used Its Zero-days Product

SonicWall says highly sophisticated attackers targeted zero-day flaws in its remote access security products. It is currently investigating the attack and hopes to have an update for its customers soon.

Its Secure Mobile Access (SMA) 100 series hardware is one of the primary focuses of its investigation. They are looking for links to reported cyberattacks in any vulnerabilities they find. SMA 100 is a gateway for small- and medium-sized businesses. It lets authorized users access resources remotely.

They have advised their customers to continue to use NetExtender for remote access with the SMA 100 series. This configuration is not susceptible to exploitation.

Currently, further details about the cyberattack itself are not available. On Monday, SonicWall said that "within 24 hours" it would provide another update on the attack and is "committed to transparency during our ongoing investigations".

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.