Webinar presenters Christopher Satanek and Joshua Traynor answered a number of your questions after their presentation, “Understanding Emotet and How to Protect Your Agency.” Here are a few of their responses.
Audience Question: Do you have a good resource for training about phishing?
Joshua Traynor: We tend to write our security primers and general tips and advisories so we have a couple of things on our website just in the general awareness. We have our phishing primer as well as a spotlight, I believe, on phishing.
Chris Satanek: Beyond that, we also have things for how to deal with these credential issues. If you just go to CISecurity.org, I do know that you just pipe in there ‘phishing’, and there are a lot of resources there. We do have engagements through CIS. We can do limited phishing engagements and such through our parent organization, the Center for Internet Security.
Audience Question: You made reference to an acronym earlier, SMB. Can you explain what SMB is?
Chris Satanek: That’s the Server Message Block. What that does is when you are trying to pull network files down. Let’s say you have a server that’s sitting there, a network share folder. There’s a protocol for the way that you’re reaching out and transferring that information over. That protocol, also known as SMB, that’s what is being used in order to reach out and do that. It’s checking your credentials, it’s doing a lot of that. It used your credentials to see whether or not you have access to this and all that. There’s a lot of things out there that can abuse, let’s say EternalBlue is one of the things that’s out there that people have heard of. But what Emotet does is it abuses the fact that you have it and the way you implement it. It’s not necessarily a vulnerability, but you are allowing for the transfer of things between computers. Meaning that if Emotet has your credentials, you are allowing the transfer of Emotet between computers, because it’s just a file in this aspect. If you’re allowing file transfers between two computers instead of just a server-client transfer, then you’re pretty much allowing Emotet to abuse that privilege.
Audience Question: If a person receives an email that they suspect contains links or an attachment to Emotet but they don’t open the attachment and don’t click the link, is there any possibility to still be infected with Emotet?
Joshua Traynor: When a user receives an email with Emotet like that, if you do not click the link and do not enable the macros if they click the link, they cannot get Emotet. As of right now.
Audience Question: Do the perpetrators behind Emotet, are they specifically targetting specific organizations or is it just kind of an opportunistic thing?
Chris Satanek: Due to the high specification of the actors, we get a lot of people saying, “I’m being targetted.” But really it’s just the sophistication of an attack of opportunity. They’ve gotten your email somewhere and they’ve got tools that will scrape down such information and they’re sending it back out. Just like highly sophisticated phishing campaigns that are utilizing various intellectual property and insignia, stuff like that. Just the fact that it’s using that kind of branding so to speak, increases the likelihood that somebody will click it. But that does not mean it is targetting you specifically. It’s just due to the sophistication of the actors, you definitely feel targetted. But it’s definitely opportunistic in nature.
Audience Question: Are other countries being targeted by Emotet? It seems like the US is.
Joshua Traynor: There’s some great resources on Twitter actually. If you do a simple Twitter search for #Emotet. You’ll find a lot of that information and intelligence sharing that show that this is a worldwide problem. It is affecting countries all around the world, not just the US.
Chris Satanek: I will note that the US is heavily infected, overall by this. A lot more than others. Usually when you see it out there, yes, campaigns are being run everywhere. But a lot of campaigns get ran in the US.
Audience Question: For emails that contain links, will looking at the URL behind the link provide some insight as to whether or not the link is legitimate?
Joshua Traynor: Yes. If you have a service that protects those links you won’t be able to see what that link is. Those, in the case of Emotet, we believe that those mostly compromised web servers followed by ‘dash English’ or ‘dash invoice’, whatever the theme of the email is. You can generally just see that. It’s a doc but it can be difficult depending on how they compromise that server — that link might appear legitimate.
Chris Satanek: A lot of the times though, it says ‘Contact Us’ and then you look over it and it definitely in nature does not look like a contact link for that organization. It’s going to lead somewhere else. So always hovering is definitely key here in checking that. If it’s an unsolicited email for anything, I’m just automatically assuming that there’s something behind it.
Audience Question: Is the information that is being scraped from the computer being sold or is it being held on to for a future attack?
Chris Satanek: When I mentioned it a little bit ago, in the beginning, it was definitely being used for future attack. But just using it that way in order to increase the sophistication of the actors. With this new change in the module and the fact that this has opened up a lot more information to them. One of the possibilities behind this is that they are selling this information. We don’t know for sure and I’ve not seen any documentation anywhere. This is all postulating. I can see the fact that they’re getting their hands on a lot of information that they will probably start selling it if they’re not already.