If financial services cybersecurity professionals don’t have enough to worry about already between new threats and evolving tactics, the continued reemergence of the Emotet malware shows the importance of continuing to defend against attacks once thought defeated.
First discovered in 2014, “Emotet has been one of the most professional and long-lasting cybercrime services out there”, according to Europol. Europol issued that statement in January 2021, after law enforcement agencies from eight countries announced they had taken control of the Emotet infrastructure “in an international coordinated action.”
It was thought the malware, first discovered in 2014, had been vanquished by law enforcement agencies from eight countries in January 2021. However, it reportedly resurfaced in this past November. Akamai also saw a strong increase in Emotet infections in the wild in February, July and October by monitoring websites associated with Emotet malware.
The Emotet Trojan typically spreads via phishing spam emails. It launches its service payload once a user clicks a link that opens a macro-enabled attachment. Viewed as the most dangerous malware in existence. In fact, the Financial Services Information Sharing and Analysis Centre determined that Emotet has become the most-often reported malware by financial organisations in 2020. The FBI, which participated in the coordinated takedown of Emotet infrastructure, identified more than 45,000 computers and networks in the US that had been affected by the malware.
The Emotet Trojan typically spreads via phishing spam emails, launching its service once a user clicks a link that opens a macro-enabled attachment. It is particularly evasive and hard to detect, because it’s able to cover its tracks, blending in to the general email communications by using reconnaissance methodologies. More specifically the Trojan is capable of accessing old email messages in a victim’s inbox and, by replying to them, adding itself to an existing email conversation. Purporting to be a legitimate correspondent, it then sends along a malicious attachment. Rather than inflicting damage on a victim’s device, it primarily functions as a downloader or dropper of other malware code. According to the US Cybersecurity & Infrastructure Security Agency (CISA) describes it as: “Emotet is “a polymorphic banking Trojan that can evade typical signature-based detection.”
Crimeware for the asking
Emotet is an early example of malware-as-a-service — basically a loader for hire, which cyber attackers can could rent to deliver their own malware. Dubbed the triple threat by many in security, it has been used to deliver the TrickBot malware, which in turn has been used to unleash Ryuk attacks that reportedly accounted for one-third of all ransomware attacks in 2020.
This demonstrates the organised crime characteristics of cyberattacks. Cyber criminals represent an underground ecosystem that connects individual malevolent actors with sophisticated criminal syndicates that operate networks of infected computers — or botnets — that can be controlled from a centralised computer to deploy attacks.
Criminals are savvy in disguising their probes to look like legitimate emails, such as an inquiry from a bank, the Internal Revenue Service, or even an employee’s boss.
Education that advises end users to avoid clicking these baited links can only go so far in deterring attacks. Security experts say there is no realistic way to ensure that all enterprise systems are fully secure. When one system is infected, malware quickly tries to move laterally through the network to find more targets of opportunity.
Focus on the organisation’s crown jewels
Financial services organisations must focus their security efforts on protecting their “crown jewels” — their most sensitive, mission-critical data — and deterring lateral migration of malware.
“A best practice here is to use a mix of identifying and blocking dangerous domains, while safely connecting users and devices to the internet with a secure web gateway, at the same time making sure possible infections cannot spread inside your core network.” says Gerhard Giese, Industry Strategist with Akamai. “In addition, financial services institutions should incorporate a Zero Trust approach of ‘never trust, always verify,’ coupled with real-time threat intelligence.”
Akamai helps organisations improve data protection and security with solutions including:
- Secure Internet Access Enterprise Threat Protector, which proactively identifies, blocks and mitigates targeted threats such as malware and phishing.
- Zero Trust Network Access including threat intelligence, a cloud-delivered, identity-aware, high-performance service for secure application access without the need for a cumbersome VPN users to gain access to the network.
- Kona Site Defender, a cloud-based web application firewall with constantly- updated application-layer firewall protections.
- Lateral movement is critical to the success of a ransomware attack. With Guardicore’s microsegmentation technology — now part of Akamai’s Zero Trust security solutions — which allows security professionals to you can easily set up control policies to detect breaches and stop the spread of ransomware before attackers can gain access to your infrastructure and applications.
The resurgence of Emotet is a testament to how cyber attackers continue to evolve tried-and-true malware, while also developing new threats. It takes coordinated industry threat intelligence, advanced technology solutions, and human analysis to keep organisations evolving defences at the same pace.