On October 6, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) issued an alert after seeing a significant increase in phishing attacks using the Emotet Trojan, particularly against state and local governments. This was after five months of apparent dormancy since February 2020. CISA itself considers Emotet to be one of the most costly and destructive forms of malware, impacting both public and private sectors. According to the malware trends tracker at ANY.RUN, Emotet is by far the most prevalent malware threat at this time.
Emotet has been around since 2014 when it was started as a Trojan targeting the banking industry to steal sensitive and private information. Since then it has been modified and adapted to deliver a variety of other malware. In its most recent alert, CISA notes that the current versions of Emotet use compromised Word documents (.doc) or password-protected Zip files (.zip) attached to phishing emails as an initial point of entry. Because of its “worm-like” features, Emotet and other malware payloads it may carry can spread across local networks to infect other devices on those networks.
While the CISA alert outlines a long list of best practices to help mitigate the threat of Emotet, as well as other forms of malware, some of the more easily implemented practices include:
- Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
- Implement an antivirus program and a formalized patch management process.
- Block email attachments commonly associated with malware (e.g.,.dll and .exe).
- Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Scan all software downloaded from the internet prior to executing.
- Enable a firewall on workstations, configured to deny unsolicited connection requests.
- Use strong passwords or Active Directory authentication for print and file sharing services.
- Disable unnecessary services on workstations and servers.
As Sgt. Phil Esterhaus would say on the TV show Hill Street Blues, “Let’s be careful out there.”