Emotet brought down the entire network of a targeted organization by overheating all of its connected computers.

Microsoft’s Detection and Response Team (DART) observed that the Emotet attack began at “Fabrikam,” a pseudonym for the affected organization, when malicious actors targeted one of its employees with a phishing email. Once the recipient opened the attachment, the file informed them that it would open in cmd.exe format and communicate with the internet. Consent by the recipient allowed the file to steal the employee’s credentials and exfiltrate them to the attackers’ server.

Three days after this initial compromise, the campaign implemented its second stage by using the compromised employee’s email account to target other Fabrikam workers and external contacts with phishing emails. This stage enabled the operation to drop its Emotet payload on as many computers as possible. Just a few days after that, Emotet succeeded in maxing out the central processing unit (CPU) of all infected workstations, thereby freezing their machines. In so doing, the malware effectively took down the network and halted all IT operations at Fabrikam.

Ushering in the 2020s With Emotet

Emotet has begun the new decade with a bang. In early January, Cisco Talos revealed that it had witnessed a surge of activity in which the malware targeted the .mil and .gov top-level domains (TLDs). Less than a month later, IBM X-Force identified a campaign in which the threat leveraged tailored spam messages to target users in Japan. Also in February, Binary Defense disclosed a new variant of the malware that abused the wlanAPI interface to spread over a local area network (LAN).

How to Defend Against a Phishing Attack

Security professionals can help their organizations defend against an Emotet-laden phishing attack by using ongoing phishing simulations. Doing so will help teams evaluate their workforce’s familiarity with and preparedness against email attacks. Additionally, infosec personnel should leverage a least privilege model to limit the number of employees who can access high-value systems and data.

More from

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

Inside the Second White House Ransomware Summit

Ransomware is a growing, international threat. It's also an insidious one. The state of the art in ransomware is simple but effective. Well-organized criminal gangs hiding in safe-haven countries breach an organization, find, steal and encrypt important files. Then they present victims with the double incentive that, should they refuse to pay, their encrypted files will be both deleted and made public. In addition to hundreds of major attacks around the world, two critical ransomware incidents — the Colonial Pipeline…

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…