|
Tweet Follow @spamhaus |
|
||
![]() Spamhaus Botnet Threat Update: Q4-2021 SERVICE UPDATE | Spamhaus DNSBL users who query via Cloudflare DNS need to make changes to email set-up Spamhaus Botnet Threat Update: Q3-2021 Spammer Abuse of Free Google Services Spamhaus Botnet Threat Update: Q2-2021 Emotet Email Aftermath Wordpress compromises: What's beyond the URL? You can't buy data hygiene Older News Articles: ![]() ![]() |
At the end of January 2021, Europol announced that a coordinated group of international authorities had taken control of the Emotet botnet infrastructure. Prior to this takedown, Emotet had spread itself using previously compromised email addresses to send tens of thousands of messages with malware-laden attachments using a technique called thread hijacking. Because of this method of proliferation, the takedown effort left a huge number of still-compromised email addresses vulnerable to further exploitation. Emotet compromised accounts cleanupPreventing these email addresses from potentially being abused by other malefactors was a necessary but complicated step. In mid-April, one of the law enforcement agencies involved in the takedown reached out to Spamhaus to ask if we could leverage our experience to help get the passwords for those email accounts changed. We were provided with a list of approximately 1.3 million compromised email accounts, which we broke down into over 22,000 unique domains and roughly 3,000 responsible networks. To help these email providers, networks and their users/customers, we created a dedicated web page. It provides information about the Emotet botnet, the remediation process, and created a method of securely providing the necessary data to the correct network owners. After having contacted everyone responsible and having provided additional support where needed we can safely say that currently over 60% of the compromised accounts have been secured. Spamhaus would like to thank the Abuse Desks, Trust & Safety departments and end users that took action - it really makes a difference! However, as we warned in a blog post published in January 2021, it is very important to recognize that this is not the end to the story. The malware Emotet dropped remains a persistent and imminent threatSix months after the Emotet takedown, a new picture is coming into focus. Emotet may be down, but the lucrative modus operandi of thread hijacking it popularized is being utilized by other ransomware botnets. Many of these attacks commonly begin with a successful email phishing campaign, which installs a spam sending module, and then begins email thread hijacking: the insertion of poisoned emails into existing email threads with the intent of fooling recipients into opening them. Once a malware-laden attachment has been opened, the threat actors can perform thorough network reconnaissance and drop additional malware onto the compromised computer. This chain of events often leads to the most attention-grabbing threat of the moment: entire networks being hijacked by ransomware. While there are different types of malware used to accomplish these attacks, we see that that variants previously dropped by Emotet are still very much alive: TrickBot steals access credentials for bank accounts, and is usually paired with the encryption trojan Ryuk - see below the graph for some examples of successful recent attacks.
Ransomware post-EmotetThere has been an shift in attack type and frequency – criminals are moving from stealing data to actively disrupting operations. With this, the damages increase by orders of magnitude when the target is physical infrastructure or healthcare services. The following incidents illustrate that:
Prevention beats remediationRansomware attacks are rapidly increasing in frequency and scope, with ever-larger ransom demands. They are now an established threat with vast implications which can often be prevented if the initial phishing campaign is unsuccessful. Practicing basic email and network security is your first line of defense. Email security:
Network security:The United States CISA published a comprehensive overview of preventative network security measures and countermeasures that can be utilised in the event of a breach. If you discover that any of your IP addresses are listed by Spamhaus, pay attention to the information provided when you look up the IP address on our checker tool. In most cases we have detailed information that will help you remediate the problem. Malware is insidious, and it often relies on expert social engineering coupled with the human tendency to inertia: we don't take things very seriously until they directly affect us, and then it is often too late. These kinds of attacks are a threat to all of us, and should be treated with immediate urgency by all network operators, large and small. In an increasingly interconnected world linked by ever changing technology, adaptable security measures for networks and email systems MUST be kept up to date and enforced. We are all in this together; let's work to keep each other safe. |
![]() ![]() ![]() ![]() ![]() ![]() |
![]() Permanent link to this news article: Emotet Email Aftermath http://www.spamhaus.org/news/article/812/emotet-email-aftermath ![]() |
![]() Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record. |
|