TA542 the wonderful people that brought you Emotet appears to be in the middle of a development and testing cycle on new delivery methods. According to researchers at ProofPoint the creators or the Emotet Botnet are potentially looking to find a new delivery method in response to the, long overdue, default disabling of VBA based Macros by Microsoft in their office products. Although ProofPoint seems to think this is development testing, the activity could also be part of a more targeted campaign.

It seems that Amazon’s hotfix for Log4Shell in their AWS environment might have been a bit rushed. According to a review of the hot there are a total of four CVEs specifically related to the hotfix and how it functions. CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 have a CVSS score of 8.8 and allow for privilege escalation and container escape. It is not often that a fix for one bad bug contains a potentially worse one, but here we are.

The breach of IDAM group Okta in January by the self-promoting group Lapsus$ amidst other high-profile breaches and data leaks this year was a significant concern. The concern rose because when the incident first happened, Okta passed it off as an unsuccessful attempt to breach a third-party vendor’s system that had access to Okta systems. However, in March the Lapsus$ group released screenshots of internal systems including what appeared to be Okta’s superuser system.

CISA has issued another warning that SCADA/ICS systems are being targeted for attack. This time they are in the sights of Nation-State groups and with customized tools. The tools are part of follow-on activities after the initial beachhead has been established. These days gaining initial access to a network, even for infrastructure, does not seem to be a difficult task for nation-state groups.