Cyber Alert: Social Engineering Implicated in Trojan Infection and Breaches

July 25, 2018

This alert contains information about the Emotet modular Trojan, a breach at the ComplyRight human resources company, and repeated breaches at the National Bank of Blacksburg, Virginia.

Emotet Trojan Warning

On July 20, the US Computer Emergency Readiness Team (US-CERT) of the Department of Homeland Security issued an alert regarding the spread of the Emotet advanced modular banking Trojan. Emotet is noted as one of the most destructive and costly forms of malware. US-CERT estimates that infections have cost state, local, tribal and territorial governments up to $1 million per incident. Emotet has targeted banking customers in Germany and Switzerland, as well as computer networks worldwide.

Emotet enters systems through malicious email links or attachments, typically disguised as invoices or shipment notices. It acts as a downloader or dropper of other Trojans. It spreads rapidly across networks, using spreader modules such as NetPass.exe and Outlook scraper that can steal and exfiltrate passwords stored in browsers or in Microsoft® Outlook®. It opens the doors to breaches of sensitive and proprietary information, to bank fraud, to ransomware, to distributed denial of service attacks and more. The Trojan is polymorphic, evading typical signature-based detection, and continuously evolving.

US-CERT suggests multiple methods for prevention of infection and for amelioration of infected networks. It stresses user training, and urges caution not to log in with privileged accounts during remediation, as this may further spread the malware.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Conduct a risk assessment to detail assets that could be at risk and recommended security practices that may assist in protecting those assets, including usage of next-generation antivirus and/or data loss prevention software.
  • Apply security updates and install future updates as soon as they are released.
  • Train system users not to open attachments in emails from senders they don’t know and to hover over suspicious links to identify sources.
  • Take recommended remedial steps, including using non-privileged accounts for detection, isolating and reimaging infected workstations, and reviewing log files and Microsoft Outlook mailbox rules for possible compromises.

ComplyRight Breach

ComplyRight, a Florida-based provider of human resources services to small businesses, has reported a data breach affecting 662,000 people. The company handles on-line tax form submissions for up to 76,000 organizations. During the period of April 20, 2018 through May 22, 2018 sensitive personal information was accessed by unauthorized sources.

While touting encryption and security of data in-transit, the breach has been attributed to likely installation of malicious code on a related system website that recorded worker keystrokes as tax forms were entered.

The company is offering 12 months of free credit monitoring to affected customers in response to the data breach.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • If affected, use the free credit monitoring offered by ComplyRight.
  • Assume the likelihood of your static consumer data already being available on the dark web’s cyber underground.
  • Enact a security freeze with major consumer credit bureaus, assuring that use of your personal information be restricted to your active demand.
  • Conduct vendor diligence upon procurement and periodically thereafter to understand which vendors could be at greater risk of exposing sensitive data, such as employee HR data.

National Bank of Blacksburg Breaches

As reported by KrebsOnSecurity, the National Bank of Blacksburg, Virginia, fell prey to two separate breaches, over a period of eight months. The breaches occurred in May, 2016 and June 2016. Total losses for the bank approached $2.4 million.

Both breaches were attributed to hackers of Russian origin. Hackers gained access to banking systems via targeted phishing emails. They were able to move laterally across systems, gain access to financial industry networks and tools, manipulate debit and credit records, and make off with significant cash. Their efforts were successful despite the counter efforts of forensic teams, largely due to the system access gained via social engineering efforts.

National Bank is currently suing its cybersecurity insurance provider, who claims that the nature of the attack and the methods used preclude it from full payment.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Review network segmentation and internal firewalls to minimize the ability of attackers to move laterally across a network.
  • Provide recurring training to system users for prevention of phishing and other social engineering schemes.
  • Carefully assess existing cyber insurance policies, with extended professional focus on related policies and riders.

How ACA Can Help

ACA Aponix offers the following solutions that can help your firm protect itself from malware, breaches, or related cybersecurity risk:

For More Information

If you have questions, please contact your regular ACA Aponix consultant or email us at info@acaaponix.com.