State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

CISA Alerts Government Entities After Surge in Targeted Emotet Campaigns

NJCCIC Alert

Original Release Date: 10/8/2020

Summary

Emotet has been identified by the Cybersecurity and Infrastructure Security (CISA) as one of the most prevalent ongoing threats. CISA issued an alert (AA20-280A) after a surge of Emotet activity was detected using their Intrusion Detection System (IDS), EINSTEIN. Since July 2020, CISA identified roughly 16,000 alerts related to Emotet activity targeting government entities, and further detected a 1,000 percent increase in Emotet loader downloads targeting state and local government entities in August 2020. Emotet has evolved to become an advanced and prolific trojan primarily spread via phishing email attachments and links using themes that echo trending current events. The malware then attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives, often using remote services such as Server Message Block (SMB). Emotet is often dropped with TrickBot to deliver ransomware, and Qakbot trojans to steal banking information and other sensitive data. Emotet is difficult to combat due to its polymorphic and worm-like capabilities that enable network-wide infections. Connections made to known Emotet-related domains or IPs most often occur over ports 80, 8080, and 443, and in one instance over port 445, possibly indicating the use of SMB exploitation. Researchers have observed many new tactics since July, including “thread jacking” techniquesthe ability to spread via Wi-Fi networks, and adoption of political and election lures. Additionally, the threat actors behind the Emotet trojan have been observed extending attacks to mobile devices, after identifying both desktop and mobile malware associated with the same command and control (C2) infrastructure.

Recommendations

The NJCCIC urges organizations to implement a defense-in-depth cybersecurity strategy that includes an endpoint detection and response solution, email security gateway, user awareness training, and a comprehensive data backup plan. If an infection is suspected, the NJCCIC recommends disconnecting devices from the network and investigating them for signs of compromise. We encourage reimaging any infected devices. Users are reminded to exercise caution when clicking on links or opening attachments sent in emails from both trusted and unknown entities.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.