Compass IT Compliance Blog

In this blog we’ll be discussing the Emotet malware program, particularly regarding the most recent and ongoing malspam campaign using the Multi-State Information Sharing and Analysis Center (MS-ISAC), and State, Local, Tribal, and Territorial (SLTT) branding.

 What is Emotet?

Before we go into Emotet, we should define explain what malware actually is.  Malware is software that is designed to cause damage to a host after it is implanted on a target.  These types of attacks usually come in the form of executables or scripts. The Emotet malware program was first identified in 2014 and is a member Feodo Trojan family of trojan malware. Its delivery comes in the form of fake invoices or JavaScript (.JS) files. When these files are executed, Emotet can then infect the current host. Once Emotet has infected a host, the malicious file is able to intercept, log, and save outgoing network traffic via a web browser. It can also scrape data from a victim’s emails. This breach of sensitive data has often led to compromised banking accounts or email data. The program has also been documented to change its behavior to mislead investigators.

NIST Cybersecurity Framework – The Recover Function

As the one-year anniversary of the most widely spread ransomware attack approaches, WannaCry is still active in the wild. Fortunately, so is the “kill switch” domain, rendering the attack mostly benign.  During the WannaCry outbreak MalwareTech, a UK-based researcher, discovered that WannaCry attempted to contact an unregistered domain. When this domain was registered, any newly infected devices that made a successful connection to this domain would place the malware into a dormant state. This is known as sinkholing and has removed the teeth from WannaCry so far.  However, it is not a perfect fix. Only newly infected devices are rendered harmless so long as they can reach the kill-switch domain as Boeing recently discovered. In March several dozen computers in Boeing’s Commercial Airline division were infected suddenly with the full Ransomware WannaCry attack. 

As promised in last month’s blog about the NIST Cybersecurity Framework Identify function, this month we are discussing the Protect function. After an organization has addressed the five categories within the Identify function (Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), and Risk Management Strategy (ID.RM)) the next step that should be considered is how/what will protect those items within the categories. While all parts of the framework are important and serve a critical purpose in the overall security of an organization, in my opinion, the protect function should be considered the most important. The Protect function is the largest portion of the NIST Cybersecurity framework and is defined as; "Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services." The Protect function is further broken down into six categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 35 are addressed within the Identify function.

Last month, the Center for Internet Security (CIS) released version 7.0 of the Top 20 Critical Security Controls. This represents a significant revision from the previous version (6.1) and introduces some interesting changes. Before we dig into the changes to the controls, if you are not familiar with what they are, let’s run through a brief overview.