In the past, the Federal Office for Information Security (BSI) has received a striking number of reports of serious IT security incidents involving the Emotet malware. In some cases, the affected companies have experienced disruptions to critical business processes due to failures of the entire IT infrastructure, resulting in multi-million euro losses. In addition, the BSI has been notified of other less severe cases in which malware analysts at the BSI were able to detect Emotet infections. At present, Emotet continues to be distributed via large-scale spam campaigns and therefore poses an acute threat to businesses, public authorities and private users. Below you will find extensive information on the threat as well as an overview of possible safeguards.

What is Emotet and what makes this malware so dangerous?

Cyber criminals are behind Emotet and they have adapted and automated the methods of highly professional APT attacks. Using what is known as "Outlook harvesting", Emotet is able to send authentic-looking spam e-mails. To do this, the malware reads contact relationships and, as of a few weeks ago, also e-mail content from the mailboxes of systems that have already been infected. It uses this information automatically so that recipients receive fake e-mails from senders with whom they have only recently been in contact in order to distribute them further.

Emotet also has the ability to download other malware once it has infected a computer. These malware programs enable the attackers to obtain access data and full remote access to the system. A recent example is the banking Trojan "Trickbot", which can spread independently in a network, for example, by extracting access data (Mimikatz) and by exploiting SMB vulnerabilities (Eternal Blue/Romance). Depending on the network configuration, this has caused entire company networks to fail. Because they continually adapt, the malware programs are not initially detected by common antivirus programs and can therefore make far-reaching modifications to infected systems. Attempts to remove malware are typically unsuccessful and also run the risk of leaving parts of the programs embedded in the system.

The warning message distributed by the BSI can be found in the internal area of the Alliance for Cyber Security (ACS) website. If you are not yet a participant in the Alliance for Cyber Security, you can register here.

How can organisations protect themselves against Emotet?

Even though it is impossible to guarantee one hundred per cent security, there are nevertheless various safeguards that can be implemented at both an organisational and technical level that significantly reduce the risk of infection. In particular, this includes safeguards for secure e-mail use. If you have any concerns about the feasibility of these steps, please discuss them with your IT department or IT service provider.

The BSI considers that the following measures MUST be implemented within the IT infrastructure:

• Regularly inform and make users aware of the threats posed e-mail attachments or links -- including advice to consult the sender if there is any doubt before opening file attachments or links or files downloaded via these (in particular, do not open any Office documents), even if the sender is known to the recipient (see also forged sender addresses). Users should immediately report any suspicious activity to IT operations and the IT security officer.
• Prompt installation of security updates provided by manufacturers for operating systems and application programs (especially web browsers, browser plugins, e-mail clients, Office applications, PDF document viewer) -- ideally automated via central software distribution.
• Use centrally administered AV anti-virus software. Regularly check whether updates of AV antivirus signatures are successfully rolled out to all clients.
• Regularly perform multi-level data backups, especially offline backups. A backup always includes planning the restoration of service and a recovery of data test.
• Regularly monitor log data manually, ideally supplemented by automated monitoring with alerts in the event of serious anomalies.
• Network segmentation (separation of client/server/domain controller networks as well as production networks, each with isolated administration) according to different trust zones, areas of application and/or regions.
• Internal user errors pose the greatest threat. All user accounts should therefore only have the minimum authorisations necessary to perform their tasks.

The following measures SHOULD also be implemented to prevent malware from infecting and spreading throughout the internal network:

• The fewer programs available to open unknown files, the fewer vulnerabilities and misconfigurations can be exploited by an attacker. Therefore, software that is not needed should generally be uninstalled. In web browsers, the use of active content should be restricted as a minimum (e.g. click-to-play or restriction to intranet pages) and browser plugins that are not absolutely necessary (e.g. Flash, Java, Silverlight) should be removed.
• Deactivation of macros and OLE objects in Microsoft Office, use of signed macros: the general execution of macros should be disabled (centrally as per group policy). Macros used within the organisation should be digitally signed. Only macros with specified digital signatures from configured trusted locations should be authorised.
• Restriction or deactivation of the Windows Script Hosts (WSH ).
• Use of application whitelisting, e.g. with Microsoft AppLocker
• Avoidance of static local administrator passwords, e.g. by using Microsoft Local Administrator Password Solution (LAPS ).
• Deactivation of administrative shares (Admin$, IPC$)
• Use of two-factor authorisation to log on to systems. This prevents the automated spread of malware in the network using compromised access data.
• File extensions should be displayed by default. This makes it easier for users to detect duplicate file extensions such as "invoice.pdf.exe".
• Use of plain text instead of HTML for e-mails. Nowadays, many e-mails are sent in HTMLformat. In order for these to be displayed correctly in the e-mail client, this client uses the same mechanisms for display as a web browser. However, e-mail clients often contain vulnerabilities, which are mitigated in web browsers by the use of additional security measures. This wraparound protection is usually less developed in e-mail programs. The greatest protection is therefore provided by the display of e-mails as text (often referred to as "text-only" or "plain text"). Another security advantage of this representation is that obfuscated URLs can be easily recognised in the text representation (in an HTML e-mail, for example, a URL displayed as "www.bsi.de" could actually refer to "www.downloadmalware.com"). At the very least, the running of active content should be suppressed when using HTML mails.
• Attackers often forge the sender's information in e-mails to make the recipient believe that they are from a known (trustworthy) internal or external sender. Often, the fake sender including the e-mail address is entered in the display name (real name), while the actual sender address of the e-mail contains a compromised account that has been misused to send the e-mail. Therefore, e-mail clients should be configured in such a way that they not only display the display name, but also the complete mail address of the sender. Any potential attack attempts should be marked accordingly in the e-mail client or not delivered at all.
• E-mail servers should reject, quarantine or at least clearly mark in the subject line any externally delivered e-mails with sender addresses from their own organisation (be it in the envelope header, the from header or the display name).
• Any e-mails with executable files (.exe, .scr, .chm, .bat, .com, .msi, .jar, .cmd, .hta, .pif, .scf, etc.) in the attachment -- including archives such as .zip -- should be blocked or moved to quarantine. If general filtering for some file types or recipients is not possible due to mandatory workflows, such e-mails should be clearly marked in the subject.
• Encryption of e-mails using PGP or S/MIME to prevent potentially confidential e-mail content from being accessed. Consistent use of digital signatures also helps validate known e-mail senders. To do this, the information required for verification must be easily accessible on the website under Contacts.
• Direct connections between clients in a network should be prevented by means of a firewall (especially SMB connections, PowerShell, PsExec and RDP).

What should I do if IT systems in my organisation are already infected?

• Potentially infected systems should be isolated from the network immediately to prevent further spread of the malware in the network through lateral movement. To do this, pull the network cable (LAN). Do not shut down or switch off the device, and especially do not unplug the power cable. If necessary, create a forensic backup including a memory image for later analysis (by service providers or law enforcement agencies).
• Under no circumstances should anyone log in with a privileged user account on a potentially infected system while it is still on the productive network.
• The downloaded malware is often not detected by AV antivirus software (in the first hours after propagation). The malware sometimes makes far-reaching (security-relevant) changes to the infected system that cannot easily be undone. The BSI therefore generally recommends that infected systems be considered completely compromised and that they be re-installed.
• All access data stored on affected systems (for example on the web browser) or entered after the infection should be considered compromised and the passwords should be changed.
• Crisis communication should not take place via compromised internal e-mail, but via external addresses (encrypted if possible, e.g. using PGP). Otherwise, attackers can immediately see that they have been detected.
• Report the incident -- anonymously if necessary -- to the BSI. This information is necessary for obtaining a clear picture of the IT situation and is of central importance for the BSI to be able to warn those potentially affected at an early stage.
• File a criminal complaint. Contact the Central Cybercrime Contact Point (ZAC ) in your federal state.
• Consideration must be given to employee communication. On the one hand, to inform employees about the reasons for the "shutdown" as well as about possible private concerns employees may have if they are allowed to use their workplace computer for personal purposes. This could mean that personal passwords and account data, etc. were used (and probably leaked). On the other hand, it is necessary to raise awareness about the restart, including giving employees the necessary information.
• Proactively notify business partners/customers of the incident with reference to possible future attack attempts via e-mail with sender addresses of the affected organisation. Sharing is caring!

Where can we find further information on protecting our organisation?

The protective safeguards described relate to different areas of IT -- for example, attention must be paid not only to the secure handling of e-mails, but also to the hardening of workstation PCs. The Federal Office for Information Security has already published various guides on good practice in this context. Below you will find an overview of selected documents:

• E--mail security: Recommendations for action for Internet service providers and operators of e-mail servers
• Basic safeguards for cyber security
• Management of vulnerabilities and security updates -- recommendations for small businesses and the self-employed