The U.S. government has issued a new warning that Emotet malware attacks are now spiking, urging users and administrators to prevent this highly destructive software from infecting their computers and networks. “Heads up!” CISA Director Christopher Krebs tweeted on January 23, “we’re tracking a spike in Emotet and re-upping defensive guidance.” It’s a warning that all organisations should take seriously.
Emotet is a dangerous banking trojan that has been doing the rounds for more than five years. It started its life as a fairly straightforward credential-theft tool, but has now spawned to include so-called dropper functionality, delivering other trojans. As CISA explains, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors.”
Given the years under its belt—including some breaks from the limelight, it’s no surprise Emotet has adapted and evolved, applying varying levels of sophistication to avoid anti-malware software and to slip through the various security nets in place. Its focus is to target networks, running worm-like from machine to machine. The government warns that infections cost “up to $1 million per incident to remediate.”
Infections, as almost always these days, begin with a malicious email spreading the dangerous attachment. Cue social engineering, untrained users or employees, a careless double-click. Once the software is loaded, the network is targeted with brute force attacks to gain more credentials and to move as rapidly as possible across the architecture, hitting machines of all kinds as it goes. During an attack, operations will be hit and data stolen. An intensive clean and repair program will need to take place.
CISA advises the urgent application of critical infosec best practice to keep this spike at bay. Block the most dangerous attachments—dll and exe files—that easily load software onto machines. Block attachments that cannot be scanned, such as zips or other compressed files. Ensure systems are patched and updated when new software is released, and that you have a full inventory of your systems and don’t let endpoints slip through unpatched. Apply good network housekeeping, including firewalls, updated firmware on access points and gaps to where critical data is stored.
Above all, train your employees and offer simple golden rules. Don’t carelessly click on links and attachments, apply caution to emails from people you don’t known from outside the organisation and—increasingly—check that emails from people you do know, who do seem to work for the company, have come from them and are not a socially engineered fake. Don’t download software linked from social media onto computers or mobiles. Every attack starts with an employee or user failing to take apply basic caution.
And don’t underestimate the cleverness of an attack. Emotet may target a user by pulling some of their inbox back to its servers, then socially engineering malware-laced emails for the same user and others. Many of Emotet’s delivery emails will spoof some form of financial or commercial request or process, and will suggest urgency—an overdue invoice, a new order, a new payment, a financial transfer.
Once Emotet has gained a foothold, it will link to its external command and control server to receive instructions and updates. Stolen data will be sent back. And once that has happened, the organisation and its reputation will quickly be at risk.
Emotet infection process
U.S. organisations are already on heightened cyber alert following government warnings over an anticipated increase in offensive campaigns from Iranian-linked or sympathetic hackers. This latest advisory simply shows that the threats are wider and more pervasive, but the remediation actions are the same. You have been warned.