Estimated reading time: 2 minutes
By Adair Thaxton, Internet2 Cyberinfrastructure Security Engineer
Happy February! I hope you all have an enjoyable Valentine’s Day, Galentine’s Day, or half-off-candy day!
In the category of “programming languages nobody wants to admit they’re still using,” perl{.}com had their domain stolen back in September and is now hosted on servers known to host malware. Stolen domains aren’t uncommon, but the real potential here for misuse is for those using perl{.}com as a configured CPAN mirror. If you’re using perl, check your CPAN config, and you may want to consider restricting access to perl{.}com.
Law enforcement officials in eight countries on two continents took action to bring down the EMOTET botnet, which had been used to deliver Trickbot and Ryuk malware among others. Team Cymru was also involved. The officials gained access to the servers and redirected compromised machines to infrastructure controlled by those officials. This action was taken pursuant to the EMPACT (European Multidisciplinary Platform Against Criminal Threats) framework, coordinated by Europol and Eurojust. It’s great that EMOTET was taken down, but I found the EMPACT stuff very interesting. I’m not aware of the U.S. having a similar framework in place, though I hope we do.
In honeypot news, a Dutch engineer created a fake power plant to try to connect. He found a lot of attempted connections, mostly by network scanning services, and a few targeted attempts to connect to the devices as if they were real power plant equipment. Trend Micro did something similar, with simulated factory devices, for seven months. The Trend Micro article details the variety of attacks on the several types of devices they set up and is a lengthy (due to screenshots) but interesting read.
I hope you’re all continuing to stay safe and warm!
Did you miss an edition? Check out previous Security Scene posts!