- Cybersecurity
Asset management and contact details in the event of an incident, new developments in the Security Portal for Local Administrations
We send this information to you to take the appropriate verification, containment, and eradication measures regarding your fraudulent mailing campaigns.
Mass mailing with fraudulent content associated with a high-risk threat is taking place. The emails are related to malware known as Emotet. In addition to appropriating information and spreading it via email, Emotet acts as a Trojan horse that opens the door to other actors. These, in turn, often deploy malicious software for espionage, intrusion into organizations, and encrypting information for the purpose of demanding an economic bailout.
Emotet is distributed by mail in waves that occur recurrently at least since August 2017. The activity had ceased in the second quarter of 2019, but from September 15 has resumed especially actively and with global impact, which has motivated the statement. However, this is a constant threat in the face of which effective measures must be sought that can remain active on a permanent basis.
One of the factors that is causing these campaigns to be very successful is the reuse of previous compromised email threads to gain user trust. In many cases, one of the identities (at least one of them) is supplanted and office documents with malicious content are attached via macros. Malicious emails are usually short, vague texts that appear to be the answer to a previous message. "Pending confirmation of the material you need" or "new template" are real examples of their content. The origin of the mail is usually displayed to mail clients with two addresses, the last one sending the mail and usually unknown to the recipient.
As a Center for Information Security of Catalonia (CESICAT), we recommend the following measures to address this threat:
- User Awareness - Distrust attachments from unknown or suspicious addresses. Distrust if a message has two different directions as source
- Disable default execution of macros
- Update Anti-Viruses
- Monitor and deny outgoing communications from firewalls to ports 447, 449, and 20 from external locations
- Check that the latest backup of the information considered most critical is complete and ensure that it is offline
On the other hand, we also recommend the following additional measures to be applied:
- Increase protection measures for incoming mail:
- Evaluate the implementation of blocking those emails with Microsoft Office files with Macros (excel included)
- Block emails containing malicious URLs related to Emotet.
- Scan your incoming mail with an antivirus with updated signatures
- If possible, analyze incoming mail in dynamic behavior analysis systems (sandboxes).
- Network segmentation
- Disable RDP when not strictly necessary
- Segmentation at the user level: establish a protocol that the user cannot access from any computer, in order to avoid that, in case his credentials are compromised, he can access any machine on the area in question.
- Review of privileges and change of credentials
- Review rule settings at the administrative level
- Avoid program and code executions temporarily
In the event of an incident, contact CESICAT-CERT cert@cesicat.cat
References:
Specific mitigation measures by Emotet
Threat post: Emotet Returns from Summer Vacation, Ramps Up Stolen Email Tactic
Bleeping computer: Emotet Trojan Evolves Since Being Reawakened, Here is What We Know
Cisco Talos Intelligence: Emotet is back after a summer break