CISA Warns of Uptick in Emotet Malware
CISA is spreading new guidance to ensure admins can properly defend against Emotet malware attacks, which the agency claims are on the rise.
The U.S. Cybersecurity and Infrastructure Security Agency warned again this week of an uptick in attacks involving Emotet, a strain of malware that was originally designed as a banking Trojan but has spread as of late through phishing, malicious PDFs, and droppers.
CISA, a division of the Department of Homeland Security tasked with overseeing the country's cybersecurity and communications infrastructure, issued a warning on Wednesday acknowledging that its seen a rise in attacks involving Emotet.
"Heads up! We're tracking a spike in Emotet and re-upping defensive guidance," Chris Krebs, CISA's director, tweeted on Wednesday, spreading a CISA link.
As CISA notes, Emotet mostly spreads via malicious macro-enabled email attachments but can also come via a malicious link or script; once it has a leg up into a system, it can spread by brute forcing user credentials and writing to shared drives. Emotet certainly isn’t new; it’s been around for the better chunk of five years but it’s certainly shown signs it’s been evolving over the last year, dropping a handful of different payloads, including banking trojans, email harvesters, data stealers, ransomware.
The agency is cautioning users and admins if they haven’t already to follow a set of guidelines to better combat Emotet, including but limited to:
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Implement Group Policy Object and firewall rules.
- Implement an antivirus program and a formalized patch management process.
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
- Adhere to the principle of least privilege.
- Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications.
Krebs also retweeted some advice from Jessica Payne, a security researcher on Microsoft's Windows Defender team: "If you want a playbook for how to defend your network against infection and lateral movement by a sophisticated attacker, detect and defend against Emotet. The mitigation and investigation techniques line up across multiple adversary sets and have remarkable return on investment."
In a subsequent tweet, Krebs agreed, calling Emotet's payoff "much bigger than one malware campaign," stressing that Emotet attacks have become much more methodical over time.
In addition to following through on the above guidance, CISA is also encouraging admins to read CISA's original – much more in depth – alert on the malware from 2018, its tip for protecting against malicious code, and a related Australian Cyber Security Centre advisory on Emotet.
The warning comes a few days Cisco Talos reported seeing an increase in Emotet activity targeting US military domains, state, and federal governments. According to researchers there, the latest strain of Emotet has the capability to check if an infected IP is already blacklisted on a spam list, something that could let its attackers send more malicious emails without getting bumped from spam filters.