Emotet and “The State of IT Security in Germany in 2020”

Emotet was the major threat to the German state, industry, and civil society in the period between 1st June 2019 and 31st May 2020.

In this blog post, I will give an overview of how the malware1 Emotet works. According to the BSI2‘s report The State of IT Security in Germany in 2020, this malware was the major threat to the German state, industry, and civil society in the period between 1st June 2019 and 31st May 2020.

Visualization of the Emotet infection process from the University of Freiburg website.

Overview about Emotet

In the report The State of IT Security in Germany in 2020, Horst Seehofer3 defines Emotet as a “sophisticated combination of a digital toolbox and social engineering that makes it possible to infect even professional users”. In more technical terms, Emotet is a former banking Trojan4 that now embodies a wide range of malware functions, such as harvesting information, sending unsolicited e-mails, and downloading additional malware.

Emotet distribution

Emotet is distributed via email, either as an attachment or a link. As an email attachment, the payload is usually delivered as a document file, e.g., a DOCX file, or as an image, e.g., a JPEG file. On the other hand, the malicious link delivered via email redirects to a compromised web page from which the payload is downloaded. In both cases, Emotet is then installed onto the infected computer.

Information harvesting and spreading

Once installed, Emotet collects the email communication history of the victim. This information is then used by the malware to automatically generate realistic emails that are sent in the name of the victim to his/her contacts. This means that Emotet does not need any attacker intervention to spread, which is an aspect that makes this malware very dangerous.

Downloading additional malware

Emotet also downloads other malware after successful installation. The BSI report indicates that the malware Trickbot and the ransomware Ryuk were the two payloads mainly associated with Emotet in the reporting period.

Trickbot is malware that can compromise the victim network automatically. In particular, the BSI report indicates that Trickbot has the capability of taking over the Domain Controller in Active Directory without the attacker intervention. If this happens, it is game over for the targeted company. In other less dramatic but nevertheless dangerous cases, Trickbot can set-up backdoors on the infected system in order to guarantee persistent presence within the victim’s network.

Trickbot also collects information about the victim’s computers and sends them back to the attacker. According to the BSI report, this information is then used by the attackers to decide whether to run the ransomware Ryuk on the targeted network. If the victim organization seems solvent, Ryuk is deployed simultaneously on all their accessible servers and endpoints, and often even on their backups as well.

Ransomware attack on a German town with Emotet as the point of entry

At the beginning of September 2019, the administration of a town in the district of Hanover (Lower Saxony) was the victim of a ransomware attack that used Emotet as the point of entry into their network. According to the BSI report, Emotet was likely sent to the council’s computer as an attachment in an email that looked authentic. After successful installation, the attackers deployed the Ryuk ransomware that encrypted about 550,000 files on the administration computers of this German town. As a consequence of this attack, all the council business came to a standstill. It took more than a week to take the first systems back online.

Conclusion

All in all, Emotet is malware that is used as the entry point for compromising a computer network. This malicious piece of software spreads using information harvesting and social engineering. Emotet also downloads and installs the Trickbot malware which is used to compromise and gather intel about a victim’s network. If the victim seems solvent, the attackers then deploy the ransomware Ryuk to encrypt the victim’s data and ask for a ransom.

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

A few easy tricks to improve the security of your WordPress website

I will show you six easy tricks to improve the security of your WordPress website.

In this blog post, I will show you six easy tricks to improve the security of your WordPress website.

Create a new administrator and delete the default one

Why?

Each new WordPress website has a default administrator. Now let’s assume that an attacker targets my website. They can easily find out that the content management system (CMS) for this website is WordPress by using a Chrome extension like Wappalyzer. Then they can find the WordPress default admin usernames with a Google search and enumerate users on my website thanks to a flaw on the WordPress login page.

By entering username=”test” and password=”test”, an attacker learns that “test” is not a valid username. This is an example of information disclosure that helps threat actors to enumerate the users on a webserver.
WordPress should change this message to the more generic “invalid username or password”.

Knowing the administrator username reduces the search space for dictionary attacks and brute force attacks. Now if the admin password is also common1 or weak, the attackers will take over the website in a matter of minutes.

How?

Add a new user2 with role “administrator” with a strong password. I like my passwords to have at least 20 characters (a mixture of lowercase, uppercase, numbers, and special characters). Then login with the new admin account and set-up 2FA right away (see below), and delete the default admin user3.

Add the recommended security headers

Why?

Security headers add an extra layer of protection to SSL4.

  • HSTS: This header forces the browser to do all requests to the website domain over HTTPS.
  • X-Content-Type-Options: The browser is forced not to guess what kind of data is passed. If the extension is “.pdf”, the browser will expect a PDF file.
  • X-XSS Protection: It will block the page in the browser from loading if reflected cross-site scripting (XSS) is detected.
  • Expect-CT: In order to prevent fraud, the SSL Certificate Authority has to log the certificates with the Certificate Transparency (CT) framework.
  • Referrer-Policy: A referrer header contains the address of the previous web page from which a link to the currently requested page was followed. The policy “no-referrer-when-downgrade” does not include the origin, path, and query string of the URL when the protocol security level is downgraded (HTTPS→HTTP).
  • Content-Security-Policy: This header is another method to force requests to the website domain over HTTPS.

How?

Open the .htaccess file on your server5 and add the following lines:

Add the following security headers to your .htaccess file.

Hide the PHP version from the HTTP Response Header

Why?

By default, the Apache server running my website exposes the PHP version in the HTTP Response Header. That is, it makes the PHP version that I use public on the Internet. This is particularly dangerous when the PHP version is an old and vulnerable one. An attacker could look for exploits against this specific version, and maybe get a reverse shell on the server.

The PHP version is visible in the HTTP response Header.

How?

Open the php.ini file on your Apache server. Set the expose_php variable to Off. Restart php-fpm and apache.

The PHP version is not visible anymore.

Enable auto-updates for WordPress, plugins, and themes

Why?

It is important to install the newest stable software releases as soon as they are available because they usually contain security patches. Enabling auto-updates takes this task off of your mind.

How?

  • WordPress: Go to Dashboard > Updates. Under “Current version”, click on “Enable auto-updates”.
  • Plugins: Go to Plugins > Installed Plugins. Under the column “Automatic updates”, enable auto-updates for every single plugin used. Delete inactive plugins.
  • Themes: Go to Appearance > Themes. Open the current theme and click on “Enable auto-updates”. Keep only one other theme as a backup. Delete all other inactive themes.

Use Two-Factor-Authentication for each single user

Why?

This adds an extra layer of protection to the authentication process. If the password of a user is cracked or leaked accidentally, the attacker will not be able to authenticate on the website (at least not easily).

How?

Install and activate the WP 2FA plugin as the admin user. Force each user on the blog to add 2FA to their account without delay.

Make sure that only used server ports are open

Why?

Open ports on a server are a security vulnerability that can potentially allow a hacker to exploit services on your network. If those services are unpatched, a hacker can easily take advantage of the system after running a port scan.

How?

Go to https://www.shodan.io/ and enter the IPv4 address of your server. Under “Ports”, you will see the open ports. If any port that you are not using is listed there, close it right away.

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

Threat Hunting via Windows Event Logs with DeepBlueCLI

In this blog post, I will use the PowerShell module DeepBlueCLI to quickly discover suspicious account and command line behavior by parsing some sample evtx files from DeepBlueCLI GitHub page.

In this blog post, I will use the PowerShell module DeepBlueCLI to quickly discover suspicious account and command line behavior by parsing some sample evtx files1 from DeepBlueCLI GitHub page. This blog post is heavily inspired by the 16-hour seminar “SOC Core Skills” by John Strand (Black Hills Information Security).

New user is created and immediately added to the local Administrators group

In this section, we will analyze new-user-security.evtx with DeepBlueCLI. In the output, we see that a new user with username “IEUser” was created at 10:22:39 AM and then added to the local Administrators group at 10:22:40 AM, that is, one second after creation. This is suspicious as threat actors often create new users in order to gain a level of persistence in the network that they would not otherwise gain with malware.

Two security events from the log file were connected together by DeepBlueCLI and presented back to us with an intuitive summary.

Password spraying

In this section, we will analyze password-spray.evtx with DeepBlueCLI. Password spray attacks are those attacks where a threat actor targets a list of usernames on a domain and sprays them with the same password, like Winter2020. This attack is often successful because many companies do not implement a strong password policy. Moreover, such technique doesn’t often get picked up because accounts don’t get locked out, as the attacker keeps the attempted logon count below the lockout threshold defined in the lockout policy. In this instance, we see that DeepBlueCLI detects the attack and summarizes it for humans to read. Concretely, we see that a password spray attack was launched by user jwrig from machine DESKTOP-JR78RLP. Moreover, we see a list of the target usernames as well.

The DeepBlueCLI summary of a password spraying attack.

Password guessing

In this section, we will analyze smb-password-guessing-security.evtx with DeepBlueCLI. Password guessing attacks are those where the threat actor tries to login as a single user by trying out different passwords. In this instance, DeepBlueCLI detects such an attack against the Administrator account. The DeepBlueCLI summary shows that 3560 login attempts were made for this account.

The DeepBlueCLI summary of a password guessing attack.

Suspicious command line (attack with obfuscation)

In this last section, we will analyze Powershell-Invoke-Obfuscation-encoding-menu.evtx with DeepBlueCLI. This file contains logs of commands run from Powershell that are suspicious because they contain a lot of not common symbols. Attackers often use a number of encoding techniques to bypass signature detection2. Concretely, this means that threat actors rewrite malicious commands using not common symbols. For example, they could build the commands a character at a time, like in the screenshot below. Fortunately, this kind of activity often gets logged by Windows Defender because non-malicious scripts do not use so many uncommon characters. As you can see below, DeepBlueCLI runs a statistic on this specific command line invocation and shows that only 58% alphanumeric and common symbols were used in this example, thus indicating malicious activity.

This Powershell command was written character by character, that is, using the data type char. This is an example of obfuscation, a technique typically used by attackers to bypass signature detection.

All in all, DeepBlueCLI enables fast discovery of specific events detected in Windows Security. In this post, we only looked at detections of suspicious account and command line activities. However, DeepBlueCLI can do much more. Check out its page on GitHub!

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!