The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency today issued a warning that state and local governments need to fortify their systems against Emotet malware attacks.

Emotet, which was first identified in 2014 and was originally a banking Trojan virus that primarily spread through malicious emails, has since evolved into a form of malware complete with its own botnet. An uptick in Emotet attacks was first detected in July and attacks have continued to increase, hence CISA’s new warning.

“Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails,” CISA said in its alert. “This increase has rendered Emotet one of the most prevalent ongoing threats.”

Since July, Einstein, the DHS intrusion detection system that monitors federal civilian networks, has detected about 16,000 alerts related to the Emotet botnet.

“Emotet is difficult to combat because of its ‘worm-like’ features that enable network-wide infections,” the agency added. “Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.”

To protect against Emotet attacks, CISA recommends several basic security measures. They include blocking email attachments commonly associated with malware, such as DLL and EXE along with attachments such as ZIP files that cannot be scanned; implementing filters at the email gateway including blocking suspicious IP addresses at the firewall; implementing domain-based message authentication, reporting and conformance validation system for emails; and enforcing multifactor authentication.

Warning late is better than never, said Saryu Nayyar, chief executive officer of security information and event management firm Gurucul Solutions Pvt Ltd., noting that other countries had issued warnings a month before.

“Organizations are in a constant state of ‘catching up’ with these alerts, as the threats constantly change and evolve and security practitioners deploy their most effective tools,” Nayyar explained. “However, it will take a coordinated and concerted effort by governments around the world to put a dent in these international cybercriminal organizations.”

Chloé Messdaghi, vice president of strategy at cybersecurity training company Point3 Security Inc., said the resurgence of Emotet this year has been particularly dangerous. “What’s troubling is that so many city, county and state authorities are still running older tech which makes them far more vulnerable to attacks, and to data exfiltrations, as well as to innuendo about the security and reliability of our upcoming elections,” he said.

Mark Kedgley, chief technology officer at information technology security and compliance software firm New Net Technologies Ltd., said Emotet is always mutating and continues to evade detection by antivirus programs. “It has strong downloader capabilities, so is a carrier or conduit for other hacking tools and malware, such as credentials theft or ransomware,” he said. “And it has worm capabilities too, designed to spread the malware laterally within a network once it has breached defenses, usually via phishing.”

Image: Malwarebytes