There have been indications of renewed Emotet activity since 14 November 2021. Emotet is a prolific botnet operation, where computers infected with malware are leveraged to perform cyber-attacks. We recommend reminding everyone in your organization to follow industry guidance on best cyber security practices and exercise caution when using email.
Details
In January 2021, Europol reported on a multi-agency effort to “severely disrupt the Emotet infrastructure”. However, similar to their breaks in activity observed in 2019 and 2020, it appears that it only led to a temporary interruption of Emotet operations.
Various cybercriminal groups have been using Emotet since 2014 as a loader available through a Malware-as-a-Service (MaaS) offering. It is typically used as first-stage malware that provides initial access to victims’ systems, thereby enabling threat actors to deploy ransomware, keyloggers, banking trojans, and other types of malicious software on the infected systems.
Emotet has a distributed botnet structure. The malware infects end-user systems and forms bots out of individual hosts. These bots would then form groups with each cluster controlled by a botmaster that instructs the infected hosts on further actions. Depending on the available modules, it could instruct the bots to infect other computers on the same network or deploy other types of malware on an infected host.
Researchers track Emotet botnet’s activity by several subgroups, called “Epochs”, where each subgroup has its own command-and-control (C2) servers, payloads, target locations, spam templates, and delivery methods. There are five known Epochs, labelled Epoch 1 through to Epoch 5, with Epoch 4 and 5 currently reported being active in Japan, Germany, Latin America, Italy, Spain, and other parts of the world.
In the past, Emotet has had an ability to infect a system and perform additional functions through its modules allowing self-propagation, elevation of privileges, brute-forcing, data exfiltration and more.
Previous and current Emotet infections by Emotet typically start with a victim opening a malicious email containing a URL in the body or a malicious attachment that could be an Excel spreadsheet, a Word document, a PDF, or a password-protected ZIP archive. It can also be delivered from other infected computers on the same network or be a secondary infection from another malware.
Emotet has also been using thread hijacking. Emotet operators would take over email chains using already infected users to send authentic-looking emails to other recipients in the email chain. As these emails would appear legitimate to the recipient, they are often opened without hesitation, which enables the threat actors to conduct further attacks.
One change in the new Emotet activity appears to be the use of encrypted HTTPS C2 communications instead of HTTP. The hard-coded C2 communication destination is now obfuscated. Emotet is now also abusing the Windows 10 App Installer to imitate an Adobe update; a tactic recently observed used by other malware.
Recommendations
Emotet has been a persistent threat with threat actors regularly changing their infrastructure, spam templates, and malware code. Since the latest Emotet activity has started, our analysts have been tracking this threat activity and employing the latest indicators of compromise in our detections.
However, most of Emotet’s methods are well-researched and are used by multiple other threats. Detecting this threat through a signature and indicator-based approach would only provide partial protection.
Covalence stops Emotet before it is able to infect your system by reducing your threat surface, and enables timely blocking of similar threats. By focusing on abnormal behavior on endpoints, emails, network, and cloud, Covalence alerts on activity patterns that are indicative of malicious activity early on.
This is a good opportunity to remind everyone in your organization to follow the recommended cyber security practices and and exercise caution when using email. Some of the guidance can be found in the References section below.
References
CISA Guidance on Emotet
MS-ISAC Guidance on Emotet
SANS: Emotet Returns
Following Microsoft’s November 2021 Patch Tuesday, several issues have been reported associated with the installation of these updates. We recommend following Microsoft’s guidance to determine if you require additional measures prior to installing this month’s security updates.
Details
Kerberos Authentication Failures on Domain Controllers
On 14 November 2021, Microsoft issued emergency updates to address Kerboros authentication failures that occur after installing the 9 November 2021 security updates on Domain Controllers (DC) running certain versions of Windows Server.
These issues are related to Kerberos tickets acquired via Service-for-User-to-Self (S4U2self). Authentication fails when delegation scenarios rely on “the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service”.
The affected versions are: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 where the server is being used as a DC (there is no impact on those running only Active Directory).
These emergency updates are not available through Windows Update and must be downloaded as a standalone package available via Microsoft Update Catalog.
Microsoft recommends you install the latest Servicing Stack Update (SSU) for your operating system before installing the latest Cumulative Update (CU).
Users must have at least the 10 August 2021 SSU (KB5005112) before installing the CU.
Compatibility Issues with Intel SST Drivers and Windows 11
On 15 November 2021, Microsoft reported incompatibility issues for Windows 11 and certain versions of Intel Smart Sound Technology (Intel SST) drivers. Devices with Intel SST versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier may receive a Blue Screen error when installing Windows 11.
Microsoft applied a compatibility hold on devices with the affected Intel SST drivers from being offered Windows 11.
The company recommends checking with your device manufacturer (OEM) for an updated driver and installing it, if available. The updated versions of the Intel SST drivers are 10.30.00.5714 and later or 10.29.00.5714 and later. If the driver update is not offered by OEM, it can be installed manually from Intel website.
To determine if you are using the affected Intel SST driver, use Device Manager > System Devices to look for filename IntcAudioBus.sys with file versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier.
Microsoft Installer Issue
On 18 November 2021, Microsoft reported that installing KB5007215 or later updates could cause failures with Microsoft Installer (MSI) repairing or updating some apps.
The company suggested uninstalling an affected app and installing the latest version of that same app in order to mitigate this issue. A complete resolution for the issue is expected to come in a future update.
This issue is reported for the following platforms:
Recommendations
We recommend reviewing the guidance in the References section below to determine if you are running one of the affected systems prior to installing November 2021 Microsoft security updates.
References
Microsoft Guidance on Kerboros Authentication Failures
Authentication Failure Scenarios
Microsoft Update Catalog
Microsoft’s Known Issues
On 9 November 2021, Siemens published 29 security advisories and updates with five of them rated Critical (CVSS score range of 9-10). We recommend installing the latest updates and applying the mitigations as soon as possible.
Details
Two of the critical advisories are related to a set of 13 vulnerabilities that affect the TCP/IP stack of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS), as well as its related services (FTP, TFTP).
Nucleus RTOS is a real-time operating system produced by the Embedded Software Division of Mentor Graphics, a Siemens Business. The operating system is designed for real-time embedded systems for medical, industrial, consumer, aerospace, and internet-of-things uses.
The flaws, dubbed by researchers NUCLEUS 13, could be leveraged to obtain Remote Code Execution (RCE) on vulnerable devices, create a Denial-of-Service (DOS) condition, or obtain sensitive information. The most critical of the 13 is CVE-2021-31886, an Improper Null Termination flaw that could lead to a stack-based buffer overflow. This may result in DoS conditions and RCE. CVSS v3.1 Base Score: 9.8.
Another critical advisory, SSA-840188, addresses three vulnerabilities in SIMATIC WinCC. They also affect SIMATIC PCS 7 distributed control system (DCS); SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system integrated into SIMATIC PCS 7.
SSA-917476 describes six vulnerabilities in SCALANCE W1750D devices. The flaws could allow someone to execute code on the affected device(s), read arbitrary files, or perform a DoS.
The SSA-675303 advisory is a minor update to an advisory published in July 2021, addressing WIBU Systems CodeMeter Runtime vulnerabilities in Siemens products.
Recommendations
If you are using any of the vulnerable products, apply the latest updates and/or the recommended mitigations as soon as possible.
Follow recommended security practices for each product in the applicable Siemens advisory.
References
Siemens Security Advisories
CISA Advisory on NUCLEUS 13 Flaws
On 9 November 2021, Microsoft released updates to address 55 vulnerabilities, two of which are currently exploited. We recommend applying the latest updates as soon as possible.
Details
Recommendations
References
On 4 November October 2021, GitHub released security advisories on two NPM libraries having been published with malicious code. We recommend applying the mitigations in the advisories as soon as possible.
Details
Recommendations
References
Fill out the form and we will send you details about our demo.