• Bradley Sing

    Bradley Sing is currently Technical Consultant at Mimecast where he has been since November 2016. Bradley has been working in the technology industry for almost four years and draws on his previous experience to help align customer business needs with the technical solutions that Mimecast provides, which ranges from product demonstrations to help documenting processes and aspects of products. Prior to his role at Mimecast, Bradley worked across the web hosting & domain name industry in Australia, working for Melbourne-based web hosting startup Hosting Australia and previously Melbourne IT Group.

    Comments:0

    Add comment
Bradley Sing

Fantastic trojans and how to fight them: Emotet

Content

Emotet is making headlines around the world as organisations across the UK, US, Canada and Australia wrestle with a new wave of cyberattacks that employ the dangerous trojan. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has received dozens of confirmed reports of Emotet attacks across a variety of sectors, including critical infrastructure providers, healthcare organisations and government agencies.

 

What is Emotet?

Emotet is a trojan which is mainly spread through spam emails. First identified in 2014, Emotet was originally designed to steal confidential information from banking systems. Later versions became even more dangerous and destructive, using worm-like capabilities to spread across connected systems and deliver malware.

Early versions of Emotet arrived as a malicious JavaScript file, while later versions used macro-enabled MS Office files, usually Word (.doc, .docx) files, to retrieve the virus payload from command and control (C&C) servers run by the attackers. Current versions tend to arrive in the form of malicious scripts, macro-enabled documents, PDF files or malicious links, often using branded graphic design to look like a legitimate email. The email often features enticing messages like “Your Invoice,” “Payment Details,” or updates on parcel deliveries from well-known delivery companies to trick users into clicking on them.

Emotet has evolved a number of tricks to dodge detection and can even tell if it’s running inside a virtual machine (VM). If it detects a sandbox environment, a tool which cybersecurity researchers use to safely study malware, it will lay dormant. Emotet can also silently receive updates from C&C servers, allowing attackers to update the software and install additional malware or to use it to collect stolen information like login credentials, usernames, passwords and email addresses.

 

How does Emotet work?

Once it has infected a particular system, Emotet tries to spread within the network by brute-forcing user credentials and writing to shared drives. Emotet has also been observed downloading a secondary malware onto infected machines called Trickbot, a modular multi-purpose Command and Control (C2) tool that allows an attacker to harvest emails and credentials and deploy additional malware.

The ACSC is aware of at least 19 successful Emotet infections in Australia, with Trickbot deployment observed in a few cases. One of the most recent cases of Emotet infection involved Ryuk ransomware attacks on the Victorian healthcare sector, with many more organisations across multiple sectors still at risk.

 

What can we do about it?

Though the threat posed by Emotet is very real, there are steps organisations can take to protect themselves and minimise their risk:

  1. Alert and Inform your staff
    Make sure your people understand the dangers associated with opening attachments from unusual emails. Having a well-informed and aware staff is your best defence, so educate your team on how to identify suspicious emails and what actions to take in case they receive one.
     
  2. Block Macros
    Wherever possible, block macros from the internet and only allow the execution of vetted and whitelisted macros. Disabling all unknown macros can significantly reduce your network’s vulnerability.
     
  3. Regularly scan your systems and update your firewalls
    Regularly scan your network with cybersecurity tools capable of identifying and defending against Emotet. Make sure your gateways and firewalls, inbound and outbound, are regularly updated.
     
  4. Develop a response plan
    Create a clear response plan that enables your organisation to act quickly in the event of an Emotet infection. Containment is the goal, so the plan should include details on immediately disconnecting and quarantining affected machines and networks.
     
  5. Keep offline backups
    Keeping offline backups of critical data is just good practice. Make sure the backups are updated regularly so that in the case of an infection or ransomware attack, you still have recovery options in place.
     
  6. Manage permissions and patch your OS
    The ACSC strongly recommends implementing the ASD Essential 8 mitigations to manage the threats to internet-facing systems. These include restricting administrative privileges, using multi-factor authentication and patching operating systems to keep their defences up to date. When it comes to threats like Emotet, prevention is better than cure. By following the steps above, you can greatly minimise your vulnerability to cyberattacks and boost your organisation’s cyber resilience. However, many data-sensitive organisations have complex needs that require more far more sophisticated and robust cybersecurity solutions. Learn more about how Mimecast can protect your organisation from targeted digital threats in the video below:

    http://video.mimecast.com/watch/LCK4x9N9joYC2iDgeEuoJG

You can also stay updated on the latest cyber threats from around the world by downloading our quarterly threat intelligence report or download our Maurice Blackburn Lawyers case study

Technical Consultant, Mimecast

Bradley Sing is currently Technical Consultant at Mimecast where he has been since November 2016. Bradley has been working in the technology industry for almost four years and draws on his previous experience to help align customer business needs with the technical solutions that Mimecast provides, which ranges from product demonstrations to help documenting processes and aspects of products. Prior to his role at Mimecast, Bradley worked across the web hosting & domain name industry in Australia, working for Melbourne-based web hosting startup Hosting Australia and previously Melbourne IT Group.

Stay safe and secure with latest information and news on threats.
User Name
Bradley Sing