Last updated: 
1 month 3 weeks ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

An Emotet malware incident write up

Monday, December 4, 2017 - 14:32

Janet network CSIRT recently provided guidance to a Janet-connected organisation that experienced a malware infection. The site performed a full analysis of the incident and wrote a post mortem of the event and the lessons learned from it. The report was created initially for internal use, but they have kindly allowed us to publish a redacted version, in case it is useful for other institutions:

1 Summary

Incident: Emotet October 2017
Start Date: 06/10/2017
Incident declared date: 12/10/217
Incident diagnosed date: 13/10/2017
Incident closed date: 27/10/2017

At some point, several PCs had become infected with the Emotet malware. This virus has been in existence in different forms since 2014, initially designed to steal online banking credentials. More recent versions are used to gather to/from email address combinations in order to send spear phishing emails.

The attack works as follows:

  1. Spear phishing emails typically appear to be from a trusted contact.
  2. The email requests that the receiver clicks on a link, often to an alleged unpaid invoice.
  3. The link downloads a document from a hacked web server.
  4. When opened, the document asks the user if they want to ‘enable macros’ (scripts) in the document.
  5. If the user enables macros, a script is run which then downloads the Emotet virus from the internet.
  6. The Emotet virus gathers details of email addresses from the user’s computer, and sends these to an online ‘command and control’ server which stores the information.
  7. The email addresses are then sent spear phishing emails.

The Emotet virus has now been found on 10 PCs in the organisation.

Unfortunately, the fake invoice which downloads when the user clicks on the link frequently changes its ‘signature’. This means that it often goes undetected by the anti-virus software installed on every PC. Tests we have run by downloading these documents on purpose and analysing them using https://www.virustotal.com/, suggests that it usually takes between 24 and 72 hours before the antivirus companies have had a chance to see the new virus signature and to update theirdatabases to detect it. This meant that antivirus often didn’t provide protection against Emotet.

The negative impact on the organisation has been threefold:

1. Reputation / enquiries: There have been in the order of 100 enquiries received from people who have been recipients of these phishing emails purportedly by the organisation. Only a few have directly asserted that systems have been ‘hacked’, and upon further explanation from IT staff, have generally been satisfied with the response given. The potential exposure of personal data through this attack could also present a negative reputational impact on the organisation.
2. Resources to resolve the incident: It has taken approximately 57.5 working days (equivalent to 3 months effort) to resolve the incident. In addition, oneday of an external commercial company’s time was required. The estimated value of all this is £15,000.
3. Misunderstanding of the issue by staff: Some staff have perceived this as ‘hacking’ as opposed to the indiscriminate nature of this malware distributed by phishing emails. An all-staff email following this incident could be considered, both to address this issue, and to act as a reminder about the risk of phishing emails.
In addition to the negative impacts on the organisation, this attack has resulted in negative impacts for third parties, namely through the receipt of spam emails and possible exposure of personal data. The attack led to the stealing of an unknown number of email addresses, which in themselves could be considered personal data under data protection legislation.

2 Lessons Learned

  • Employing a cyber security consultancy company to investigate the issue was a positive move. It allowed the cause of the issue to be identified very quickly. However normal procurement practices were bypassed in order to procure the services quickly. It may be worth considering having a cyber security company ‘on retainer’ for this type of incident.
  • Our investigations ignored the content of the emails, as we assumed the fact that they weren’t sent from our servers meant that they couldn’t provide any information about the cause of the issue. However, the method used to provide the diagnosis of Emotet was to download the documents linked in the emails to understand the payload they were carrying, and therefore the source of the incident.

3 Changes made

  • Increased focus, by more IT Team Members, on current antivirus solution - quick training deployed to IT Support to assist with comprehensive configuration of antivirus server settings. Upgrade being performed to move all clients to the new antivirus endpoint product.
  • Key IT staff are now members of the National Cyber Security Centre’s ‘Cyber Information Sharing Partnership (CISP) which allows participants to securely share information about current cyber threats.
  • Staff access was removed to the shared email folder to which customer registration confirmation emails are stored for confirmation purposes in order to remove customer email addresses visibility should a recurrence of this malware occur.

4 Recommendations

  • The organisation does not have a Cyber Security Incident plan, and no staff are formally trained in incident management. In the same way that an IT Disaster Strategy and Plan exist, a similar strategy and plan should be considered for Cyber Security Incidents (or combine the two together).
  • It is important for the organisation to start a programme of educating its staff about cyber security, in particular elements where the staff are the weakest link, for example phishing emails. Cyber security is now being included in the compulsory staff training sessions, and in ten minutes will cover password, mobile devices, phishing emails, and online safety. However there are many other areas of cyber security that need to be shared. Related to this, fake phishing testing may be employed in order to further educate staff and to measure the organisation’s risk against phishing attacks. Much of this, and more, will be reviewed in detail as part of the project to obtain Cyber Essentials Plus certification.
  • Investigate layered solutions (e.g. employ Malware protection solution alongside traditional antivirus, or firewall upgrades to include Intrusion Detection and Intrusion Protection functions) to identify or stop potential attacks.
  • The organisation should continue work to minimise the sharing and retention of personal data to ensure that data are retained, shared, and accessible only as required, and wherever possible held within managed information systems rather than email.