Earlier this week, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) issued a warning of a resurgence of the sophisticated Emotet Malware – which is an advanced Trojan that can function as a downloader of other malware. It is commonly spread through phishing email attachments, where once a user clicks a link, the Emotet payload is launched.
It can then proliferate across a network through so-called “brute force” tactics, and can spread to shared drives. The worm-like nature of this malware makes it hard to defend against, and it can enable network-wide infections. CISA noted that Emotet-related domains and IPs seemed to be the most common on ports 80, 8080 and 443.
While the Emotet malware, which was first detected in 2014, had largely been quiet since February, it apparently came back with a vengeance this past July, and CISA’s intrusion-detection system has reportedly picked up 16,000 alerts over threats to government networks in the past two and a half months. It has also reemerged with new social-engineering tools – including being customized with messages tied to headlines and news events.
CISA Warns of Governments Targeted
Since it first appeared, the Emotet has impacted a mix of organizations and agencies. The city of Allentown, PA had its government networks infected with the malware in 2018, and the following year saw the highest court of the state of Berlin in Germany affected along with Humboldt University of Berlin as well as Universität Gießen. Earlier this year, the malware took down the Department of Justice in the province of Quebec.
Last month, cybersecurity agencies in France, Japan, and New Zealand have published security alerts warning about a large uptick in Emotet malware attacks, and in recent weeks CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), have also observed attackers targeting state and local governments.
“Cybersecurity and Infrastructure Security Agency (CISA) warning about the surge in Emotet malware infections is appropriate, but a little late, as other countries had issued warnings a month before,” said Saryu Nayyar, CEO of risk analysis firm Gurucul, via an email to ClearanceJobs.
“It is another example of malware authors using professional development cycles to keep their malicious wares relevant,” warned Nayyar. “Organizations are in a constant state of ‘catching up’ with these alerts, as the threats constantly change and evolve and security practitioners deploy their most effective tools. However, it will take a coordinated and concerted effort by governments around the world to put a dent in these international cybercriminal organizations.”
Educate Users on Social Engineering
As with other forms of malware, Emotet remains a problem because of its use of social engineering tactics including phishing efforts. To combat against it, organizations need to continue to be vigilant in ensuring that everyone with access to the network use best practices – notably not opening attachments from unknown individuals, and confirming receipt of emails when there is any doubt of its authenticity.
“The surge in evolved Emotet attacks perfectly exemplifies the need to continuously educate users on how to detect and avoid phishing emails,” explained Dan Piazza, technical product manager at Stealthbits Technologies.
“Although spam filters and other methods of blocking malicious emails should be in place for all organizations, it only takes one email to get through and successfully trick a user for Emotet to start moving laterally throughout a network and eventually into domain admin rights,” warned Piazza. “Emotet will also hijack legitimate, existing email threads once a host has been infected, so users need to be wary of every email they receive and not just new threads from fake or spoofed addresses.”
The danger is almost inevitable that at some point a user will eventually slip up, succumb to a phishing attack, and become infected.
“That’s when Emotet starts to move laterally through the network until they become a domain admin,” added Piazza. “However, it’s possible to block this attack by using a combination of real-time threat detection and response as well as Privileged Access Management, ultimately reducing the standing privilege in a network to zero. As long as Emotet can’t gain domain admin privileges, the scope of the attack can be greatly reduced – which also buys time for the security team to remove the malware.”