Working from home? Are you finally catching up on all those updates and patches that you’ve neglected to take the time to install over the past couple of months? Well, Microsoft has also put a pause on all non-essential patches during the coronavirus pandemic. It turns out cybersecurity is finally getting some validation that it too is an “Essential Service” to IT systems. Google led the charge and began with pausing all Chrome browser releases for the time being.
This approach by technology companies is unprecedented and causes extra attention to the normal patching and update cycle for system administrators. These are the same IT professionals who are incredibly essential to the virtual world in our remote work future and are currently getting overwhelmed with service desk support requests. Hackers know these IT pros are overwhelmed too. They are also keenly aware that IT admins are monitoring their email like a hawk now that it has become the office lifeline. With these notifications being sent out from technology providers with increasing frequency, IT admins might not see that typo-squatted domain from a bad actor. The out-of-band patching, increase in support tickets, and reliance on email communication creates the perfect environment for a hacker to successfully install ransomware on your systems.
When attackers are successful, they are increasingly using a trojan called Emotet. This piece of code essentially pushes ransomware onto and across corporate networks. It’s an effective dropper that can be embedded in email attachments that act as the hook in the phish. It can also be delivered through malicious URLs too. Once Emotet is in the network it will move laterally and brute force credentials as it goes. Since this is such an effective way of propagating malware, it is updated regularly by malware writers hoping to get in front of the latest anti-virus signatures.
This trojan is also paired with another trojan called Trickbot to deliver the lockdown. Trickbot is module-based and can be configured to specific tasks like gaining persistence, stealing credentials, and creating encryption. Trickbot gains persistence by setting up a scheduled task that will automatically start if something happens to the impacted host. Usually, the user infected by this malware won’t even see any indication of it. Network admins will likely see changes in traffic and indicators reaching out to possibly blacklisted IPs. However, in this remote work world with several executives wanting their VPN issue fixed, it wouldn’t be a far stretch that this traffic might go unnoticed. Its usual exploit appears to be EternalBlue, that’s why it's critical that companies identify and patch internally as quickly as possible. After Trickbot has a landing pad on your network, it will use Emotet to reach out and download Trickbot to other machines and start the process all over again on a new host. Once Trickbot encrypts your systems, it's hard to recover normal business operations anytime soon.
This is where the reliance on working from home and your stressed-out system administrator takes the brunt of the attack. Hopefully, you have a good incident response plan in place that can be executed remotely. If this were to happen on a normal day, resources could gather in a war room to collectively work out the problems and fixes in person. However, this pandemic increases the complexity of gathering to resolve security incidents. Not only will responders have to rely on the same systems that might be infected just to communicate, but they might also be sick with COVID-19 as well. Bottlenecks appear everywhere during a crisis, don’t let these two pieces of malware add the third pathogen to its arsenal that amplifies the severity of this attack. Make sure you are performing tabletop exercises every year and everyone knows their responsibility.