Recently, the CISA has warned of Emotet attacks that are targetting the government entities; And CISA, along with the Multi-State Information Sharing & Analysis Center (MS-ISAC), affirmed that Emotet is one of the most complex trojans that generally work as a downloader or dropper of other malware.
The experts have detected Emotet in July 2020, after an idle period that started in February. While, in August, the CISA and MS-ISAC have seen a notable uptick in ill-disposed cyber attacks.
All these attacks are targeting the state and local governments with Emotet phishing emails. And this increase has distributed Emotet as one of the most widespread ongoing threats.
As we said above that Emotet is a venerable Trojan primarily published through phishing email additions and links. It implies that when the links get clicked, it started to launch the payload.
Once it gets launched, then the malware strive to generate within a network by brute-forcing user credentials and writing to the shared drives.
Emotet is very challenging to fight because of its “worm-like” specialties; this feature allows the network-wide infections. Moreover, Emotet also uses the modular Dynamic Link Libraries to emerge and update its abilities continuously.
Not only this, but Emotet also uses negotiated Word documents that are assigned to phishing emails as first insertion vectors. All these resource identifiers carrying all stupid random length ordered lists to observe that Emotet-related domains or IPs with the following user are the agent string.
According to the timeline, Emotet was initially detected in February 2020; And this month, the threat actors targeted non-U.S. nations utilizing the COVID-19-themed phishing emails. After that CISA has caught Emotet in July 2020, the experts noticed that emails that are previously used Emotet URLs, especially those applied in the February campaign, attacking the U.S. businesses.
Not only this, but further Emotet has been detected in August and September 2020, and this time the experts noted that it has increased by 1000%. But the experts also claimed that Emotet has not changed; it just had some minimal changes.
However, this time the threat actors are using the technique that involves stealing a current email chain from an affected host to respond to the chain using a spoofed identity. Not only this, but it also has an attached malicious document to fool the recipients into displaying the file.
The CISA and MS-ISAC have recommended some mitigations that are needed to be followed by the users correctly, and here they are:-
- Obstruct email attachments usually connected with malware.
- Obstruct email attachments that cannot be browsed by antivirus software.
- Perform Group Policy Object and firewall rules.
- Perform an antivirus program and a formalized patch control process.
- Execute filters at the email gateway, and prevent suspicious IP addresses at the firewall.
- Perform a Domain-Based Message Authentication, Reporting & Conformance validation system.
- Share and segregate networks and functions.
- Limit undesirable lateral communications.
- Impair file and printer sharing services.
- Implement multi-factor authentication.
- Allow a firewall on agency workstations, configured to deny unsolicited connection requests.
- Impair random services on agency workstations and servers.
- Browse for and eliminate questionable email attachments.
- Monitor users’ web browsing practices.
- Practice caution when using removable media and mass storage.
- Browse all software downloaded from the internet before executing.
- Keep a situational awareness of the most advanced threats and perform appropriate access control lists.
- Observe CISA’s Alert on Technical Approaches to Revealing and Malicious Activity.
Apart from this, CISA is still investigating the whole matter, and they have confirmed that they would publicize every detail regarding the conflict and attack. In contrast, the CISA and MS-ISAC have advised the admins and the users to use antimalware answers to block suspicious attachments and prevent unusual IPs.