Monitor your exposure

The Italian publisher TG Soft has just opened the doors to an online service called haveibeenEmotet. In this way you can check whether an email address or domain has been compromised and used for the distribution of Emotet, usurped for this purpose or simply used deliberately. The inventory is not necessarily complete and can therefore lead to false positives. However, it can be an interesting addition to the exposure monitoring tools by regularly monitoring its domain names, but also those of its main partners: if one of them suddenly appears as a positive contact can justify increasing the vigilance of its organization , especially by informing their employees.

Continuation of the article below

We tested the tool on the domain names of a few organizations that recently recognized that they were the target of cyber attacks, such as the Swiss watchmaker Swatch and the city of Besançon. On the one hand, TG Soft-Daten provide indications of a successful compromise: The domain swatchgroup.com has received at least one email linked to Emotet and at least five senders. The city of Besançon seems to have received at least 6 such emails and sent at least 35! The municipality of Grand Besançon Métropole also appears to be affected. It appears at least 27 times as the addressee and at least twice as the sender.

The Emotet attack seems to have turned there, and the domain of the Doubs department has been found to be at least 72 times the recipient of poisoned emails. The local prefecture appears at least twice recipient. However, since none of them appear as the sender, at this point it seems possible that the contagious messages did not compromise a system with respect to these destinations.

What happened at @Swatch? According to @VirITeXplorer, it may well be that #Emotet was there … #malspam pic.twitter.com/S5YXGs1KJr

– Valery Marchive (@ValeryMarchive) October 1, 2020

The CMA-CGM group, which recently fell victim to the RagnarLocker ransomware, has been the recipient of Emotet-related emails … no fewer than 138 times. However, the TG Soft database does not seem to be aware of any occurrences of shipments from the shipowner’s domain. At least September 23rd, date of the last database update haveibeenEmotet. For the record, CMA-CGM revealed the attack on Monday morning September 28. It will therefore be interesting to keep an eye on the next update and, by the way, to check whether the International Maritime Organization (IMO) is not displayed. This, in turn, has declared itself the victim of a computer attack and it is easy to imagine that the exchange between shipowners and the IMO is no exception.

While investigating TG Soft’s new service, we also identified worrying cases from a French local authority and a network equipment supplier. We immediately reported these two cases. Protecting against Emotet is nearly impossible – and against a possible later detonation of ransomware – by combining multiple filters, workstation protection, threat intelligence and logging under a continuous monitoring approach. This can start with macros being blocked in Word according to Group Policy Objects: Laurent Besset emphasizes in I-Tracing: “Apart from Excel, there are very few legitimate uses of Office macros. All of them have been giving recommendations in this direction for 5 years. “