Remember Emotet? No, we are not talking about some Egyptian King and the latest exhibition showcasing his treasures. It’s the name of one of the most vicious pieces of malware of recent history. It has made the rounds for several years but reports from last week that it could be spread through blogs and websites based on WordPress, made us want to share this news with you and how you can protect yourself.
Emotet – The Origins
First identified in 2014, the original purpose of Emotet seemed to be that of a banking malware: it was supposed to sneak onto computers to obtain financial information like credit card details. Since then it hasn’t stopped in its development and instead evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware. As a result, the U.S. Department of Homeland Security issued an alert in July 2018 highlighting that Emotet infections have cost SLTT governments up to $1 million per incident to remediate.
Important Payments and Deliveries
Primarily spread through spam emails, the Emotet trojan may arrive either via malicious script, macro-enabled document files, or malicious link. Emails containing the malware often look like legitimate emails using familiar branding. The objective is that the user clicks on the infected files, which is in many cases is increased by calls to action and who hasn’t seen something similar: a well-known and often used company asking you to review terms of business, banks informing you of important payments or bills to pay or deliveries that could not reach you from parcel companies. There is no limit to imagination and everything goes.
It is not in numbers?
Despite being such a common sight, it still seems to be fairly successful and following a fairly long hiatus that lasted nearly four months, Emotet is back with an active spam distribution campaign. It isn’t so much the increased activity of this malware that caused us to focus on the problem. Despite the unpleasant consequences of this vicious intruder, it is another aspect that we found extremely alarming. 360TotalSecurity reported last week that Emotet might actually have found a way to use blogs to spread the dangerous trojan. The software company found that the C&C servers that issued the Emotet Trojans all use the WordPress framework” and that “the corresponding website types are diverse, including personal blogs, news, social networking sites, etc”.
The hackers would therefore exploit certain security vulnerabilities of WordPress, hijack a large number of websites built on WordPress and use them as the server for the Emotet that distributes the trojan.
And that is the problem that concerned us in particular: there is no shortage of websites that use WordPress. In fact, according to usage stats, WordPress is the world’s most popular content management system powering 34% of all websites on the internet. Plus, we are not talking about some basement boutique blog on some random niche topic – WordPress sites account for 14.7% of the Top 100 websites in the world including TED, NBC, CNN, TechCrunch, People magazine, the NFL, Best Buy, CBS Radio, and UPS, but if you would like to see more big names of Fortune500 companies using it, have a look at the WordPress Website Showcase.
It is the sheer amount of opportunities that is so concerning and there seems to be so little between millions of websites and coding thugs, so that the proverbial unity that is the foundation of our strength and that Thomas Paine was talking about (“It is not in numbers, but in unity, that our great strength lies”) might be hard to achieve.
What to do about it
But, of course, not all is lost and prewarned means to be prearmed since prevention is the best defense (especially in light of the extraordinary costs for rectifying a successful attack as pointed out above by Homeland Security). There are ways to reduce the probability of a successful attack:
To begin with, endpoint protection programs that are constantly updated and offer advanced security features are a must. Remote devices present an immense challenge for the protection of business networks, especially since mobile devices like laptops, smartphones, tablets, notebooks as in their use in the corporate environment has led to a sharp increase in the number of devices being lost or stolen as well and as such presenting a huge risk of losing sensitive enterprise data. Endpoint protection has therefore to be a cornerstone in any useful cyber strategy.
The second aspect, obviously, is the human element: in particular in the case of phishing emails, humans often are the weakest link and signify the smallest obstacle in order to get on the inside of a company’s walls. The annual cost of cybercrime is estimated at approximately $600 billion or 0.8% of global GDP and many of the successful cybercrime campaigns that have made the headlines have their origins in the negligent behavior of an employee opening a seemingly harmless email attachment (though often these activities are little bit more sophisticated).
The training of company employees is therefore of paramount importance as well as the monitoring of third party providers’ activity as more and more functions are outsourced in organizations of all sizes. Needless to say, that this is not only limited to the education of staff in terms of prevention, but also with regard to the detection of an attack or worse a breach and its subsequent response.
The WordPress issue – as seen above – affects companies of all sizes and while large companies offer plenty of backdoors, startups are more likely to lack resources or needed focus on the problem.