Fantastic trojans and how to fight them: Emotet
Emotet is making headlines around the world as organisations across the UK, US, Canada and Australia wrestle with a new wave of cyberattacks that employ the dangerous trojan. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has received dozens of confirmed reports of Emotet attacks across a variety of sectors, including critical infrastructure providers, healthcare organisations and government agencies.
What is Emotet?
Emotet is a trojan which is mainly spread through spam emails. First identified in 2014, Emotet was originally designed to steal confidential information from banking systems. Later versions became even more dangerous and destructive, using worm-like capabilities to spread across connected systems and deliver malware.
Emotet has evolved a number of tricks to dodge detection and can even tell if it’s running inside a virtual machine (VM). If it detects a sandbox environment, a tool which cybersecurity researchers use to safely study malware, it will lay dormant. Emotet can also silently receive updates from C&C servers, allowing attackers to update the software and install additional malware or to use it to collect stolen information like login credentials, usernames, passwords and email addresses.
How does Emotet work?
Once it has infected a particular system, Emotet tries to spread within the network by brute-forcing user credentials and writing to shared drives. Emotet has also been observed downloading a secondary malware onto infected machines called Trickbot, a modular multi-purpose Command and Control (C2) tool that allows an attacker to harvest emails and credentials and deploy additional malware.
The ACSC is aware of at least 19 successful Emotet infections in Australia, with Trickbot deployment observed in a few cases. One of the most recent cases of Emotet infection involved Ryuk ransomware attacks on the Victorian healthcare sector, with many more organisations across multiple sectors still at risk.
What can we do about it?
Though the threat posed by Emotet is very real, there are steps organisations can take to protect themselves and minimise their risk:
- Alert and Inform your staff
Make sure your people understand the dangers associated with opening attachments from unusual emails. Having a well-informed and aware staff is your best defence, so educate your team on how to identify suspicious emails and what actions to take in case they receive one.
- Block Macros
Wherever possible, block macros from the internet and only allow the execution of vetted and whitelisted macros. Disabling all unknown macros can significantly reduce your network’s vulnerability.
- Regularly scan your systems and update your firewalls
Regularly scan your network with cybersecurity tools capable of identifying and defending against Emotet. Make sure your gateways and firewalls, inbound and outbound, are regularly updated.
- Develop a response plan
Create a clear response plan that enables your organisation to act quickly in the event of an Emotet infection. Containment is the goal, so the plan should include details on immediately disconnecting and quarantining affected machines and networks.
- Keep offline backups
Keeping offline backups of critical data is just good practice. Make sure the backups are updated regularly so that in the case of an infection or ransomware attack, you still have recovery options in place.
- Manage permissions and patch your OS
The ACSC strongly recommends implementing the ASD Essential 8 mitigations to manage the threats to internet-facing systems. These include restricting administrative privileges, using multi-factor authentication and patching operating systems to keep their defences up to date. When it comes to threats like Emotet, prevention is better than cure. By following the steps above, you can greatly minimise your vulnerability to cyberattacks and boost your organisation’s cyber resilience. However, many data-sensitive organisations have complex needs that require more far more sophisticated and robust cybersecurity solutions. Learn more about how Mimecast can protect your organisation from targeted digital threats in the video below: