Cybersecurity Weekly Briefing 29 August-4 September

Red Dawn, new attached document from Emotet

The use of a new attached document template by Emotet has been identified over the past week. The name given by security researcher Joseph Roosen to this malicious Word file (.doc) attached to spam campaign emails is Red Dawn. When opened, it is indicated that the document “is protected” and the preview is therefore not available, so it is necessary to “enable editing” and “enable content” in order to view it. If the victim follows these steps, malicious macros that download and install the Emotet malware on the system will be executed. Previously this summer, Emotet has been making use of a similar template in which it indicated that the document had been created in iOS, thus being necessary to “enable editing” and “enable content” in order to view it. It is important to note the importance of detecting these emails from Emotet since it is the gateway to Trojans such as TrickBot and QBot, and these, in turn, to ransomware such as Conti or ProLock.

More: https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/

Vulnerability in EMV, bank card communication protocol

Researchers have discovered techniques to bypass PIN-code authentication in contactless Visa bank card transactions. This is an EMV protocol flaw, specifically in the bank card verification method, which lacks cryptographic protection and allows a threat agent to carry out a Man-In-The-Middle (MITM) attack. Researchers have allegedly proved that the PIN can be bypassed in the payment process due to the fact that the device does not require entering the code as it believes the consumer has authenticated. To do so, they used a proof of concept based on an Android application called Tamarin . The proof of concept, carried out in shops and other establishments, was successful in evading the PIN on Visa Credit, Visa Electron and VPay cards.

More info: https://arxiv.org/pdf/2006.08249.pdf

Epic Manchego: obfuscation in maldoc delivery

NVISO researchers have revealed new techniques for obfuscation of maldocs that elude detection by some surveillance systems. These are malicious Excel documents that disseminate malware through VBA code, which are created without the use of Microsoft Office. An analysis by researchers has disclosed the use of tools such as EPPlus, software used for producing documents with a .NET library that creates Office Open XML (OOXML) worksheets. This technique provides files with uncompiled VBA code, a feature that can be achieved only by Office, which is delivered in plain text without encryption, but protected by a password that does not need to be entered for the macros to be executed. Once the macros have been enabled and their process completed, a payload is obtained that initiates a second phase of infection, identify by security venders as Tesla Agent. After the dynamic loading of a DLL, as a third phase of the attack, an infostealer is downloaded to exfiltrate sensitive data from the victim’s computer.

More: https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/

European ISPs suffer DDoS attacks

More than a dozen Internet Service Providers (ISPs) in Europe have reported DDoS attacks targeting their DNS infrastructure. The list of ISPs that were attacked during the last week includes Belgian operator Edpnet, France’s Bouygues Telecom, FDN, K-net, SFR and the Dutch Caiway, Delta, FreedomNet, Online.nl, Signet and Tweak.nl. The attacks did not last more than a day and all were eventually mitigated, but ISP services were down while the DDoS was active. NBIP, a non-profit organization founded by Dutch ISPs to collectively combat DDoS attacks and the Government´s telephone tapping attempts, has provided additional information on last week’s incidents indicating that “several attacks were directed at routers and DNS infrastructure of Benelux based ISPs”. Moreover, NBIP addresses that “most of the attacks were DNS amplification and LDAP type attacks”. “Some of the attacks took more than 4 hours and reached a volume close to 300 Gbit/s”.

More: https://www.zdnet.com/article/european-isps-report-mysterious-wave-of-ddos-attacks/