Blog Home Page Next article: Business Continuity Planning (BCP) – The Overlooked Control
MS-ISAC CYBER ALERT – Ongoing Emotet Campaign Using MS-ISAC Branding
This alert came through our CHWG Feed
All credit goes to the membership for distributing the alert and recommendations. ALWAYS ALWAYS run any changes through your ‘Change Management Process’ Disabling SMB can break or slow local network response, especially for custom apps.
TLP: GREEN
MS-ISAC CYBER ALERT
SUBJECT: UPDATED – Ongoing Emotet Campaign Using MS-ISAC Branding
An ongoing Emotet malspam campaign is using the Multi-State Information Sharing and Analysis Center (MS-ISAC) branding. When the document is opened a macro runs that downloads Emotet as the payload. Emotet is one of the most costly and destructive malware variants affecting state, local, tribal, and territorial (SLTT) governments due to its highly infectious nature, which frequently leads to the compromise of almost every computer on a network.
Currently, there are five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. Open source reporting indicates that a recent development to Emotet may allow it to scrape and exfiltrate emails, potentially leading to a data breach.
January 15, 2019 – UPDATED
An active Emotet malspam campaign is using MS-ISAC and SLTT government branding to spread. The emails contain fake invoices Word documents as attachments. Further information about Emotet is available in the attached Security Primer.
INDICATORS:
- Emails are spoofing the “MS-ISAC <[email protected]>” email address
- Subject line of “Missing paperwork”
- A malicious Word document attachment
- Message body: o Hello, Please see attached copy of invoice #<random number> – <random dollar amount> for your record and payable and send payment to MS-ISAC.
- Thank you for your custom.
MS-ISAC
PH 723 768-6055
FAX 723 768-6664
E:[email protected]
Scenario 1: Service Accounts
“We have had that account since we started using SQL or Windows 2000. No one knows what will break if we change the account password or setting”. A service account does not need Domain Admin privileges! See this 2006 article from Microsoft “Securing Critical and Service Accounts” This article will help understand what access these accounts need and do NOT need. Passwords and the need for password complexity will be addressed in another blog post. Use your ‘Change Management’ (also another blog post) process to create a maintenance window to test the changes (one per window). Don’t let the possibility of a change breaking something dissuade you. The alternative is potentially a nefarious individual with Domain or Enterprise Admin privileges waltzing through your network.
Scenario 2: Local Administrative Rights
Users with administrator access on their assigned PC or Laptop. Typically, this happens so the support team does not need to be called if the user needs to update/change something on the PC, so mobile users can add printers, or to make an installed application function (typically to solve write/modify restrictions prevent by default windows configurations). Since Windows 7, ALL of these situations can be solved without giving the user local administrator access. It is inconvenient for the user and support personnel, but so is EVERY measure that increases security. Security and convenience are inversely proportional. Allowing local users administrator access rights gives hackers the ability to find the fastest and most direct path to Domain Admin with free opensource tools like “BloodHound”. It also allows the hacker to install services and software, modify the registry and turn the PC or Laptop into a proxy server (pivot) to scan and find other vulnerable systems on the network. If a helpdesk user with domain administrator access (next paragraph) has logged into the system, then local administrator access gives the hacker, the ability to dump the helpdesk user’s password in plain/clear text. See “Mimikatz”.
January 15, 2019 – UPDATED
Emails are spoofing the “MS-ISAC <[email protected]>” email address as well as email addresses of other SLTT government officials
Subject lines: “Invoice <auto generated invoice number>” “MS-ISAC New invoice <auto generated invoice number>” or “Invoice”
A malicious Word document attachment titled “Invoice” followed by a space or underscore, then 1 letter, and 5 numbers. E.g. “Invoice W64756.dox” or “Invoice_P59707.dox”
Emails originate from domains ending in “.mx”
Email signatures contain the word “Facsimile” instead of the more common “Fax”
RECOMMENDATIONS:
- Use Group Policy to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At minimum create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
- Use antivirus programs on clients and servers, with automatic updates of signatures and software.
- Disable all macros except those which are digitally signed.
- Apply appropriate patches and updates immediately after appropriate testing.
- Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
- Consider implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) email protocol. DMARC assists in identifying spoofed emails, preventing users from being spoofed, and blocking incoming spoofed emails. For assistance with implementation, please see the Global Cyber Alliance’s (GCA) DMARC guide.
Additional recommendations and more information are available on the MS-ISAC website.
Happy Hunting!!
Tim Crosby
CISSP, HCISPP, CySA+, CHPSE, PenTest+ SME, CSA+ SME
Sr. Security Consultant
Consulting Services Group
Spohn Consulting, Inc.
Office: (512) 685-1820
Mobile: (512) 945-5674
[email protected]
https://www.linkedin.com/in/tim-crosby-05870915/