MSPs continued: Resurgence of Emotet Malware

Building on the last post regarding MSPs and cybersecurity, here is a real world example of potential items that might not be covered if your business has not developed a comprehensive cybersecurity program by working with an organization that focuses specifically on cybersecurity. The Cybersecurity and Infrastructure Security Agency has issued an alert stating that Emotet (malware) has reemerged after a dormant period that had started in February 2020.

Emotet typically enters a network via phishing emails and from there spreads throughout the network, which underlines the importance of cybersecurity training for end users. From the CISA advisory, here are the mitigations associated with this threat, however many of the recommendations are best practices and apply to many scenarios. In some cases, an MSP may not be implementing or performing these activities that would otherwise be recommendations out of an assessment or work to develop a cybersecurity program. Bound Planet’s comments appear in orange.

  1. Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  2. Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  3. Implement Group Policy Object and firewall rules.
  4. Implement an antivirus program and a formalized patch management process.
  5. Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  6. Adhere to the principle of least privilege. – Likely not a part of your MSP’s management solution.
  7. Implement a Domain-Based Message Authentication, Reporting & Conformance validation system. – Likely not a part of your MSP’s management solution.
  8. Segment and segregate networks and functions. – Likely not a part of your MSP’s management solution.
  9. Limit unnecessary lateral communications. – Likely not a part of your MSP’s management solution.
  10. Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. – Likely not a part of your MSP’s management solution.
  11. Enforce multi-factor authentication. – Likely not a part of your MSP’s management solution.
  12. Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  13. Enable a firewall on agency workstations, configured to deny unsolicited connection requests. – Likely not a part of your MSP management solution.
  14. Disable unnecessary services on agency workstations and servers. – Likely not a part of your MSP management solution.
  15. Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  16. Monitor users’ web browsing habits; restrict access to suspicious or risky sites. – Not all MSPs offer this protection
  17. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  18. Scan all software downloaded from the internet prior to executing.
  19. Maintain situational awareness of the latest threats and implement appropriate access control lists.
  20. Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
  21. See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.
  22. See the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.