As feared by many security experts, Emotet has learned something new – again. As reported by CERT-Bund on Twitter, the malware is now capable of creating authentic replies to existing emails, encouraging unsuspecting recipients to open infected attachments or click on fake links.

The German Federal Office for Information Security (BSI) has, in the past, issued several warnings about the Emotet malware, which spreads by sending credible-looking spam emails from an infected account to address book contacts. Once it has infected a system, the malware can generate further malicious code, with possible dire consequences for companies. It could cause a halt in production or a complete infrastructure failure, and may even require company networks to be rebuilt entirely.

Hackers have now made the malware even more sophisticated. Indeed, CERT-Bund tweeted that Emotet no longer only uses the sender’s addresses, but can also produce fake replies to emails by making use of ‘read message’ content. It also embeds authentic links to the domain of the supposed sender. The malware makes use of “spear phishing” techniques in which information about the victim’s contacts and communication behaviour is collected in order to create as authentic an email response as possible with malicious code attached. Emotet has automated this process and is therefore able to send a huge amount of authentic emails in a short space of time, spreading malware at high speed.

Even though this malware is becoming more sophisticated, organisations still have an opportunity to act and protect themselves before it’s too late.

Companies can and should deploy counteractive measures

On a technical level, taking a closer look at the structure of malware reveals that there are fundamental ways to protect against an attack. The Emotet infection process uses a number of elements that a resilient infrastructure with a flexible and preventive security architecture can defend against. Having this resilience in place means that the infection is not transmitted immediately, for example, when the email recipient opens an attachment, but only when the associated macros in the attached file, such as a Word document, are executed. This means that with standard MS Office settings, a user must manually activate the malware in the attachment in order to transfer it to the network.

What’s more, most employees don’t even need macros for normal day-to-day business. It is therefore advisable to deactivate them completely by default, preventing manual execution by assigning the appropriate rights. A good vulnerability management tool can help here as they can help identify and manage which user accounts can allow the execution of macros. The same is true for PowerShell or administrator rights, as these are also required for Emotet to load.

Detect reloading of Emotet tools

Even if Emotet has already infected the IT system, there are still defence measures that can be put in place. For example, the malware reloads various tools to spy on access data or encrypted data. These standard tools can be used as indicators of compromise. A vulnerability management tool such as the Greenbone Security Manager can also be used to determine whether reloaded Emotet tools are active in the company’s own IT infrastructure.

Emotet is also distributed from the infected system via the so-called SMB vulnerability, which was made infamous in the WannaCry and Eternal Blue attacks. This vulnerability can be closed with the corresponding update but after the WannaCry outbreak (although many companies made their networks inaccessible to SMB communication from the outside), not all secured their internal communications. Here an examination to pinpoint corresponding weak points is the best way to find any gaps in the system.

Conclusion: Small security measures have a big impact

Large-scale computer failures caused by the Emotet malware can have catastrophic consequences, especially for critical infrastructures such as hospitals as they not only cause economic damage, but also pose a threat to people. Organisations should therefore act before it’s too late and protect their IT infrastructures in the best possible way. To become resistant to phishing attacks from advanced malware such as the new Emotet type, a few coordinated measures, such as deactivating unnecessary macros and closing known vulnerabilities as quickly as possible, are often enough.

The EU directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving member states 21 months to embed the directive into their respective national laws. The directive became UK law in May this year and all organizations deemed ‘Operators of Essential Services’ (OES) must have complied and will do so from this date forward – if they fail they could face a fine of up to £17m.

A matter of vulnerability management

With the directive now in place, each state needs to ensure the continuity of their essential services besides any cause that could affect the networks and information systems enabling  those critical infrastructures. What this really means is that those services need to improve not only their resistance to cyber attacks, but their resilience which refers to the ability to continuously deliver the intended business objective despite adverse cyber events.

Critical infrastructures – example transportation systems

Critical infrastructures, like energy, health, finance and transportation, share one common prerequisite: they mostly consist of converged technologies. It is this interdependency of industry control systems (ICS) and IT systems that increase the attack surface drastically. A major element of resilience as I mentioned above, then, is to minimize the attack surface of the overall infrastructure by identifying vulnerabilities which could be exploited by an adversary. So far, so good. But how do organizations tackle this?

We have outlined information on steps organizations need to take to address their vulnerabilities – taking into account their business needs at all times. The first issue in a series of whitepapers to come from us looks at the systems and processes of the transportation industry. In the light of the new EU directive, how can internal security guidelines be changed due to the new regulations?

Learn more: Download our Whitepaper ‘Sustainable Cyber Resilience for Critical Infrastructures – Transportation Systems and Networks’ here for free.