Threat Advisory: Increased Emotet Malware Activity Detected
January 23, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory on the increasing use of targeted Emotet malware attacks. Emotet is a Trojan used by threat actors to act as a downloader, or dropper, of other malware.
The most common delivery method for Emotet is via the use of spam emails that have a malicious Microsoft Word or Excel document attachment used to exploit vulnerabilities in Microsoft Office. Cyber criminals often leverage email subject lines, such as requested payments/invoice or delivery notifications for tracking shipments, that relay a sense of urgency for unsuspecting users to download the malicious attachment.
Emotet spreads through internal networks by leveraging brute force attacks to gain access to shared drives. Successful Emotet attacks can allow cyber criminals to access sensitive and proprietary data, resulting in disruption of business operations and loss of the organization’s reputation.
CISA recommends the following steps as best practices to defend against Emotet:
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
- Adhere to the principal of least privilege.
- Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
- Segment and segregate networks and functions.
In addition to CISA’s recommendations, Herjavec Group also advises:
- Follow best practices to limit opportunities for credential loss or lateral movement
- Incorporate consistent user security awareness training
- Establish processes for reporting suspicious emails
- Isolate suspicious systems until they can be remediated
- Develop playbooks and orchestration to automate phishing detection, containment, and detonation where possible
- CISA Initial Emotet Malware Alert
- Australian Cyber Security Centre (ACSC) Advisory on Emotet Malware Campaign
- CISA’s Tips for Protecting Against Malicious Code
Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.