The document discusses various modern cyber threats like Emotet and ransomware, describing how Emotet spreads through malicious emails and payloads, evolves constantly, and aims to install ransomware or other malware on infected systems. It also outlines Sophos' defenses against Emotet through application control, web protection, and endpoint detection and response capabilities to detect and block malicious activity. The document concludes by discussing how phishing attacks have become the weakest link by targeting employees and Sophos' phishing security tool called Phish Threat to educate and test users through simulated phishing campaigns.
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
Â
Netpluz - Managed Firewall & Endpoint Protection
1. Lim Chee Keong
Senior Security Solution Engineer
May 2019
Ransomware and Modern Threats
2. What Weâre Going to Cover
2
⢠Ransomware Playbook
o What it is, what it does
⢠Understanding EMOTET
⢠Sophos EDR â Threat Hunting
⢠Phish Threat
5. EMOTET
5
2014
Banking Trojan
âAmongst the most costly and destructive threats
to U.S. businesses right nowâ
U.S. Department for Homeland Security, 2018
2019
Crimeware-as-a-Service
Constant evolution
QakbotDridex IcedID
RyukSandbox Evasion
First
Seen
Upgraded Evasion ZBotTrickBot
Occasional Attacks
6. Emotet payloads change constantly
375 388
343
414
208
393
338
270
179
214
125
248
751
119 129
0
100
200
300
400
500
600
700
800
# of unique Emotet payload executables seen by SophosLabs
300
new payload executables every day
7. Emotetâs Goals
7
Spread across
network
Skim email
addresses and
names
Send spam to
infect other
organizations
Download any
malware
payload(s)
Be a
smokescreen
for targeted
ransomware
Steal browser
histories,
usernames
and passwords
Data breach
Security breach
Reputation damage
Primary infection
Secondary infection
High Impact
9. An Emotet Attack
9
Your Network
C & C Servers Target1. Infiltrate
Cyber
Criminal
Spam email 2. Call Home
Register Success
Get Instructions
and Payload
B. Bot Attack
Send spam
to infect other orgs
A. Steal Data
Upload email addresses,
user names and
passwords
3. Spread
Spread to other systems
on the network
C. Payload
Install banking Trojan
Install ransomware
11. Anatomy of an
Emotet Attack
STAGE 1
User received a malicious email (malspam)
STAGE 2
User clicks on a malicious attachment
A document called ârgnr-avr111205-85.docâ
11
parent to
parent to
parentto
Outlook
75 registry
keys
1 IP
Address
386 files
rgnr-avr111205-85.doc
Word
cmd.exe
9 files
PowerShell
45 registry keys
Printer
Driver Host
431.exe
cmd.exe
431.exe
14 registry
keys
2 files
89 files
431.exe
STAGE 3
User enables malicious macros in the document
STAGE 4
The macro uses cmd.exe (Command Prompt) to
execute malicious, obfuscated code
STAGE 5
cmd.exe launches a second copy of cmd.exe
STAGE 6
This new instance of cmd.exe launches and
executes PowerShell
STAGE 7
PowerShell connects to an IP address and
downloads a file called 431.exe
STAGE 8
PowerShell executes 431.exe which, in turn,
executes a second copy of itself
STAGE 9
Intercept X detects PowerShell connecting to a
suspect IP address and downloading an exe with
unknown reputation, and blocks this behavior and
identifies the root cause (Outlook).
12. Delivery Exploitation Installation
Click
xyz.com SFX
***
Emotet Attack Chain
APPLICATION
CONTROL
MALICIOUS TRAFFIC
DETECTION
WEB PROTECTION
LOCAL PRIVILEGE
MITIGATION
DEEP
LEARNING
APPLICATION
LOCKDOWN
ANTI âEXPLOIT
(CODE/MEMORY/APC )
MITIGATIONS
HIPS
THREAT CASE (RCA) & EDR
RUNTIME HIPS
CREDENTIAL THEFT
PROTECTION
ANTI-RANSOMWARE
Command
& Control
Actions on
Objective
16. The Changing Focus of Cyber Attacks
Target systems,
applications and
networks with
malicious content
Target weakest link â
the employees â with
social engineering and
deception
Yesterday Today
17. Sophos Central Phish Threat
Educate and test your users to spot attacks
⢠Over 140 attack
templates using real
threat intelligence
TEST
1
⢠Deliver over 30
interactive security
training courses
TRAIN
2
⢠Campaign reporting
⢠Measure organization
and individuals
MEASURE
3
17
Diving into the agenda for today:
- Weâre going to start by looking at what Emotet is, how it works â weâve got the latest updates from Sophos Support and SophosLabs to share with you.
-Weâll then look at how Sophos solutions help protect you against Emotet â weâre going to look holistically, at both the endpoint and the network level
- Weâll explore what to do if you have the misfortune to be hit by Emotet
- And finally weâll close out with the three best practice steps we recommend every organization follows to maximize their Emotet protection
Emotet is a really sophisticated, really nasty worm.
Indeed, the US Department of Homeland Security considers it amongst the most costly and destructive threats to US businesses right now. Not that it limits itself to the US â more of that in a moment
Emotet is not a new piece of malware, but itâs one thatâs got steadily more complex and more destructive.
We started seeing Emotet five years ago. It started off as a Trojan that silently stole banking credentials. Since then it has evolved into a highly sophisticated platform for distributing other kinds of malware. Itâs crimeware as a service
Emotet serves up whatever malware pays. So far this year thatâs meant TrickBot and QBot banking Trojans, although itâs also been linked with BitPaymer â a strain of sophisticated ransomware that extorts six-figure payouts.
The people behind Emotet are highly professional, financially motivated and theyâre constantly evolving their threat to make it more powerful and destructive.
And when I say âconstantly evolvingâ I really mean it!
One of the characteristics of Emotet is that its payloads change all the time. This graph here shows the number of new unique Emotet payload executables seen by SophosLabs in the last two weeks of January this year.
As you can see, there are literally hundreds of versions every single day.
In fact, on average, SophosLabs sees around 300 new unique payload executables every day, and saw almost four and a half thousand (4,494) unique payload executables in the last 15 days of January alone.
So thatâs what Emotet is. Letâs take a look now at what Emotet does.
Unfortunately the answer is âlots of thingsâ
Once inside your computer, Emotet tries to:
1. Spread onto as many machines as possible. Itâs a worm so can spread without user interaction. It moves from one infected computer to another via the network.
2. Send malicious emails to infect other organizations
3. Download a malware payload. Traditionally the payloads have mostly been banking Trojans, with Trickbot the most prevalent. Its payload injects code into your browser to automatically debit your bank and PayPal accounts when you next login.
4. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam.
5. Others inspect your web browser, stealing histories and saved usernames and passwords.
6. To compound the pain, Emotet can also be a smokescreen for targeted ransomware attacks. While organizations are dealing with Emotet infections, ransomware like BitPaymer takes advantage of the distraction to hold the organizationâs data hostage.
Emotetâs activities are hugely damaging for impacted organizations:
- reputation damage from sending spam
- a primary infection â often a banking Trojan that leads to $$$ loss
- a data breach from email data loss â bringing in compliance / GDPR concerns
- a security breach from the loss of user names and passwords
And potentially a secondary infection â usually a ransomware attack, that tries to extort more $$$
So thatâs how Emotet works, now lets look at how you can defend against it with Sophos.
To understand how Sophos protects against Emotet we need to dive into the attack in some detail.
As weâve seen, Emotet typically starts with a spam email with malicious attachment.
Once into the network it will call home to let the hacker know itâs successful, and get updates, instructions and payloads
It then spreads, and being a worm it can do this without user activity, although it does take advantage of unpatched vulnerabilities such as the EternalBlue exploit.
Next, as weâve seen, it can carry out a range of unpleasant activities:
Steal email addresses
Steal browser histories, user names and passwords
Send spam to infect other organizations
Install banking Trojans
Deliver ransomware
Sophos protects against Emotet in multiple ways
Block the attack from entering the network in the first place
Stop Emotet from spreading to other parts of the network
Prevent Emotet from calling home
Stop Emotet from infecting your endpoints and installing banking Trojans or ransomware
Block it from stealing sensitive data
Stop Emotet from sending spam to infect other organizations
Letâs have a look in more detailâŚ.
Letâs start by looking at how Intercept X Advanced with EDR helps stop Emotet from infecting your customersâ endpoints.
Letâs look at how Emotet works in a bit more detail with the help of this threat chain.
This is a real case, from Sophos support, and weâre using the EDR capabilities in Intercept X to see whatâs happened here. We did have to disable some protections to see the full threat chain as usually this would have been stopped much sooner
It starts with the user receiving a malicious email.
The user then clicks on a malicious attachment
And then the user enables malicious macros in the document.
The macro uses CMD to execute obfuscated code
CMD then launches a second copy of CMD
That second copy launches Microsoft PowerShell
PowerShell connects on an IP address and downloads a file called 431.exe
PowerShell executes 431.exe
Intercept X detects PowerShell connecting to a suspicious IP address and downloading an exe with unknown reputation, and blocks this behaviour, and identifies the root cause - Outlook
Intercept X is packed with multiple layers of advanced technologies that provide sophisticated protection against Emotet.
Thinking back to the threat chain we saw earlier Emotet:
Started with a spam email with a link to a Word document including macros
Word macro starts a PowerShell script, which connects to an IP address, and then downloads an .exe
It then spreads across the network, taking advantage of exploits like Eternal Blue, and SMB shares, and escalating privileges
It also communicates with the Command and Control servers to receive instructions and send back data
And then it carries out itâs payload, which may be delivering a banking Trojan, stealing data, installing ransomware âŚ
Intercept X technologies protect at every part of that attack chain. You need these multiple layers of protection to secure against such a fast-moving, sophisticated threat as Emotet.
One area to particularly call out is the deep learning capabilities. The powerful AI technology in Intercept X enables it to predict threats that have never been seen before, which is essential for polymorphic malware like Emotet. We donât know what Emotet will look like next week, next month, but the predictive technologies can block threats that have never been seen before. Itâs youâre best possible future-proofing.
The function scheduled to run in 1 million secondsâ time contains a full, base64 encoded copy of the GandCrab malware, which is loaded directly into memory by PowerShell. This technique is an attempt to dodge antivirus software by using a legitimate executable, PowerShell, and avoiding filesystem writes.
For over 30 years Sophos has been delivering innovative, simple, and highly-effective cybersecurity solutions to IT professionals and the channel that serves them.
And we understand that securing organisations today has a lot to do with educating employees around the cyber security threats they face
Where as in the past attackers would target systems, applications, networks. Today they target often the weakest link in the organisations â Employees â with social engineering and deception
Combine email security with simulated phishing attacks that allow you to test user awareness by emulating the tactics used by real phishing attackers, and couple that with training to educate end users so they know how to spot and stop the real thing. And perhaps most importantly measure progress and improvement to demonstrate ROI to the rest of the business.
Phish Threat from Sophos does all three.
With over 140 customizable attack templates fed by latest threat intelligence
Over 30 interactive training courses covering a range security and compliance topics
And comprehensive reporting. Allowing you to measure performance by campaign, individual user, and at an organizational level to measure susceptibility to attack.
A range of customizable campaigns that mirror the tactics used in real phishing attacks.
Phishing link campaign â where we are trying to lure a user to click a phishing link
Credential harvesting â this time where we are sending users to a fake credential harvesting website to enter username and password details (donât worry, we donât store any data)
Attachment campaigns â where we lure a use to open an attachment that could in the real word contain a malware downloader for instance
And lastly a Training-only campaign â no simulated attack this time. You create your own branded email and attach training
Each campaign style is fully customizable â from attack email, to training landing pages and training reminder emails.
All templates and training is available in a choice of nine languages:
English
French
German
Italian
Spanish
Portguese
Korean
Traditional Chinese
Japanese
And combine that with how quickly users are reporting simulated phishing emails â allowing us to monitor behavior changing from knowing to doing â a really important distinction when combatting real cyber threats.
Â
And Iâll add this is one of a number of reports and dashboards providing insight in organizational, campaign and individual behavior.
Well with the Outlook add-in for Phish Threat for enhanced reporting we can do just that.
Allowing users to report malicious emails direct from the inbox and passing that data feed to Sophos Email, Endpoint and web security products through SophosLabs.
Â
And also surface that data in Sophos Central.