Europol Disrupts Emotet Botnet 🌍, North Korea Targets Security Researchers 🔓, Malicious Out-Of-Office Emails 📧

CyberLite Feb 2, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

🌍 Europol Disrupts Emotet Botnet

Emotet is considered today’s largest botnet, with an average of 100,000 to half a million emails being sent per day to infect new systems.

This week Europol took control of the botnet, seizing control of hundreds of Emotet servers used to run the botnet. A database of around 600,000 stolen email addresses and passwords was also recovered.

Law enforcement is now distributing a new version of Emotet to all infected systems that will uninstall the malware on March 25th. It is unknown why law enforcement is waiting two months to uninstall the malware; the most plausible theory is that they want time to gather as much data about Emotet’s operation to aid in future operations.

Looking back: In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet. However, this has recently shown signs of coming back to life with new emails trying to distribute the malware being detected. It’s hard to completely remove malware like Emotet that has been used so widely in cybercrime for so long. We’ll have to wait and see if this disruption effort is more successful.

🔓 Security Researchers Targetted by North Korean Hackers

North Korean hackers have been posing as security researchers on social media. The hackers then approached legitimate security researchers asking them to collaborate on a vulnerability research project, sending them links to Visual Studio projects (a popular code editing program). But these links contained malicious code that enabled hackers to send commands to the researchers’ computers.

Research from Microsoft and Google’s Threat Analysis Group (TAG) has attributed the attacks to the Lazarus group which is affiliated with the Kim Jong Un regime. The same group was responsible for attacks on Covid-19 vaccine makers last month.

Their intentions haven’t been disclosed, but having access to the systems of prominent security researchers would be very useful for malicious actors. It could give the North Korean hackers knowledge of vulnerabilities that have just been discovered and haven’t been publicly disclosed and patched yet.

📧 New Business Email Compromise Tactics Emerge

Business email compromise (BEC) attacks are when attackers impersonate a prominent member of an organization or compromise their email account. The attackers then send out fraudulent emails to members of the organization. Researchers have uncovered two new tactics that use Microsoft 365 to carry out more effective BEC attacks.

Read Receipts: Read receipts allow users to be notified when someone has read an email they sent. As a sender, if you enable read receipts on an email, the recipient gets a notification advising them of this alongside the email you sent. These notifications can be abused by attackers. The attacker can alter the email headers so that the target receives a read receipt notification from the Microsoft 365 system, instead of the attacker. When the attacker sends a malicious email it will likely get picked up by security policies and blocked. However, the manipulated read receipt won’t, as it comes from Microsoft 365. The read receipt still contains the content of the original malicious email so this is a cunning way of bypassing email security policies.

Out-of-Office: Microsoft 365 allows users to set-up an automatic email reply when someone emails them, primarily used for advising people if you’re out of the office. An attacker can send a malicious email to someone who’s using an out-of-office reply, but by manipulating the email headers (specifically the “Reply-to” header) they can direct that out-of-office reply to another user in the organization. The out-of-office reply will contain below it the original malicious email. This makes it appear that the malicious email has originated from someone within the organization rather than from the attacker, making it much less likely that the email will be blocked by an organization’s email security policies. Here’s an example that explains the attack really well from Graham Cluley, a researcher at BitDefender:

“So, the email may be sent to one employee (let’s call them John), but the “Reply-to” header contains another employee’s email address (let’s call them Tina). John has his out-of-office reply enabled, so when he receives the fraudulent email an automatic reply is generated. However, the out-of-office reply is not sent back to the true sender, but to Tina instead – and includes the fraudulent email”

These new tactics highlight the importance of always being on the lookout for phishing emails, regardless of who the sender is.

🎣 Automated Phishing Just Got More Dangerous

A pre-built kit for carrying out phishing attacks called LogoKit was found on more than 300 sites this week. The software sets up webpages imitating legitimate sites and can adapt logos and text in real-time to better target victims. The LogoKit sites automatically fill in a victim’s email address when they click on a link from a phishing email, making them more confident that they’ve visited the site before.

If a victim does enter their password, this is immediately sent to an external server. The user is then redirected to the legitimate login page for the service they thought they were accessing. Popular targets this week were Microsoft Onedrive and Sharepoint. Remember to always check the URL of any website that you’re linked to and make sure you’re accessing the legitimate version of the site.

🔥 Rapid Fire

Some shorter stories…

A security researcher from Google’s Project Zero has discovered a new iOS security feature named Blastdoor. It processes the content from messages sent using iMessage inside a secure and isolated environment to check for any hidden malicious code. Link.

Dutch police arrested two employees from the Dutch health ministry for selling personal data from the country’s Covid-19 systems on the dark web. Ensuring that the right people have access to company data internally is just as important as securing it from attackers. Link.

The ShinyHunters hacking group has stolen personal data from 2.28m members of the online dating site MeetMindful. Dating apps are increasingly being targeted by cybercriminals as they store lots of personal data and usually require access to a user’s location, contacts, and phone camera. Link.

Twitter launched the pilot of its Birdwatch system this week. Birdwatch lets users flag and discuss tweets believed to be misleading or false. This is one of many ways in which social media companies are trying to handle the spread of misinformation. It’ll be interesting to see how successful outsourcing moderation to users is and if other social media platforms try this approach. Link.

The South African Revenue service this week ran into a problem when Adobe Flash Player supported ended. Its solution: create a custom browser that supported Flash rather than updating their website. Link.

The number of ransom-related DDoS attacks grew 154% between 2019 and 2020, a report by Neustar found. A ransom DDoS attack is where the attackers contact a company threatening to carry out a DDoS attack against the company if the ransom isn’t paid. The popularity of these attacks is largely due to their simplicity and low cost. It’s very easy for low-level cybercriminals to rent access to a botnet online for carrying out these attacks. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

Three iOS zero-day vulnerabilities were reported to Apple by an anonymous researcher. One was in the iOS operating system, which allowed an attacker to elevate their privileges and the other two in WebKit (a component used in the Safari browser) which allowed attackers to run their own malicious code. Experts believe that the three can be chained together to run code that later escalates its privileges to run system-level code (code that has control over the entire system) and compromise the OS. So please, update your iPhones this week. Link.

A vulnerability in the sudo program for Linux could be exploited by an attacker who has access to a low-privileged account to gain admin (root) access. The bug was introduced into the code back in July 2011, so all sudo versions released over the past 10 years can be exploited. Sudo is installed by default on almost all major distributions of Linux. Link.

Microsoft has released a micro-patch to fix a vulnerability in Windows Installer. When Windows Installer runs it creates a script to revert any changes it’s made, in case anything goes wrong. An attacker could alter this script to point it to their own malicious code that would run with system-level permissions (meaning they could carry out nearly any action they wished). Link.

A bug in TikTok would have allowed the private data of users to be stolen by sending spoofed requests to TikTok’s servers. Thankfully it was responsibly disclosed by researchers at Check Point and has been resolved. Link.

Researchers have discovered a new approach to carrying out a NAT slipstreaming attack. This type of attack allows an attacker to establish a direct connection to a victim’s device, bypassing firewalls if they could get a victim to click on a malicious link. This attack was first revealed in November, but this week researchers have found a way to extend the attack to reach multiple devices within the network, rather than just one. Chrome, Safari, Edge, and Firefox have all issued patches to protect against this new approach. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

Signal’s seen explosive growth recently, but does it have a plan to deal with misinformation and malicious content on the platform? Casey Newton delves into the battle going on inside Signal. Link.

Seven threat hunting tools everyone in the industry should be using. Link.

Increasingly the only people paying cybercriminal’s ransoms are insurers. So are insurers funding ransomware gangs? Link.

Observer Effect interview with Tobe Lütke, the co-founder of Shopify. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.