{"id":12426,"date":"2019-12-21T23:24:14","date_gmt":"2019-12-21T22:24:14","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12426"},"modified":"2019-12-21T23:24:14","modified_gmt":"2019-12-21T22:24:14","slug":"cert-bund-bsi-warnung-vor-emotet-trojaner-ransomware","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/12\/21\/cert-bund-bsi-warnung-vor-emotet-trojaner-ransomware\/","title":{"rendered":"CERT-Bund\/BSI Warning about Emotet-Trojan\/Ransomware"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/12\/21\/cert-bund-bsi-warnung-vor-emotet-trojaner-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]In the last few days there have been a number of reports of cyber incidents in German institutions that are attributed to the emotet Trojan\/Ransomware. The BSI warns of the danger, especially since spam mail is sent 'on behalf of the federal authorities' with this malware in its luggage. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/3b895154d97849f098dce68ee95ffc45\" width=\"1\" height=\"1\">I've discussed the last cases in the German article <a href=\"https:\/\/www.borncity.com\/blog\/2019\/12\/20\/trojanerbefall-in-stadt-bad-homburg-und-hochschule-freiburg\/\">Trojanerbefall in Stadt Bad Homburg und Hochschule Freiburg<\/a>. But also Frankfurt and the University of Gie\u00dfen were infected &#8211; although the infection in Frankfurt was probably mild \u2013 the IT systems are back in operation after a day. In the following tweet, CERT-Bund points out the danger of an infection with the Trojan Emotet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\u26a0\ufe0fBeware of <a href=\"https:\/\/twitter.com\/hashtag\/Emotet?src=hash&amp;ref_src=twsrc%5Etfw\">#Emotet<\/a> &#8211; currently one of the most dangerous botnets in operation. <a href=\"https:\/\/twitter.com\/hashtag\/certbund?src=hash&amp;ref_src=twsrc%5Etfw\">#certbund<\/a> once again became aware of several high profile victims. <\/p>\n<p>\u203c\ufe0f Don't be the next \u203c\ufe0f<\/p>\n<p>\u2014 CERT-Bund (@certbund) <a href=\"https:\/\/twitter.com\/certbund\/status\/1206577491281895424?ref_src=twsrc%5Etfw\">December 16, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>After an infection of the Windows system, the Trojan can reload any malware and constantly converts its signatures and attack variants. It seems also that the cyber criminals behind Emotet has changed their tactics: The Trojan horse are no longer delivered in mail attachments. Instead, a link to compromised websites is sent by email. A drive-by downloader then waits on the pages or the user is tricked into to download an Emotet Trojan via a file.&nbsp; <\/p>\n<p><img decoding=\"async\" title=\"KRITIS-Netzwerk\" alt=\"KRITIS-Netzwerk\" src=\"https:\/\/i.imgur.com\/yNk8TvY.jpg\"><br \/>(Source: Pexels <a href=\"https:\/\/www.pexels.com\/de\/u\/markusspiske\/\">Markus Spiske<\/a> CC0 Lizenz)  <\/p>\n<h2>Nasty: German authorities infected<\/h2>\n<p>There is a fresh warning from the German Federal Office for Information Security (BSI). Bleeping Computer have <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/attackers-posing-as-german-authorities-distribute-emotet-malware\/\" target=\"_blank\" rel=\"noopener noreferrer\">also addressed<\/a> it. According to the report, the BSI has been notified of several confirmed emotet-infections in authorities of the federal administration.&nbsp; <\/p>\n<p><img decoding=\"async\" title=\"BSI-Warnung\" alt=\"BSI-Warnung\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1109292\/December%202019\/BSI.png\"><br \/>(Source: Bleeping Computer)<\/p>\n<p>The unknown attackers are currently using the data copied in the process to send fraudulent e-mails with dangerous file attachments or links on behalf of several federal authorities. Greta Thunberg is also being misused as bait in spam mail, as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-malware-uses-greta-thunberg-demonstration-invites-as-lure\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> reveal &#8211; and the cyber criminals are constantly adjusting their strategy &#8211; Bleeping Computer has made it a subject of discussion <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/emotet-gang-changes-tactics-ahead-of-the-winter-holidays\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<h2>Prevent infection in advance<\/h2>\n<p>Administrators in corporate environments should take steps to block infection vectors. Here is a recommendation from CERT-Bund:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Biggest impact recommendations for SOCs, CERTs, and CSIRTs on how to block Emotet malspam\u00b9: <br \/>Block macro office docs &amp; emails w\/ known bad URLs ASAP + Use URLhaus ClamAV signatures + Block known Emotet C&amp;C communication.<\/p>\n<p>\u00b9 Provided by <a href=\"https:\/\/twitter.com\/abuse_ch?ref_src=twsrc%5Etfw\">@abuse_ch<\/a> via <a href=\"https:\/\/t.co\/rrsakWK7Dt\">https:\/\/t.co\/rrsakWK7Dt<\/a><\/p>\n<p>\u2014 CERT-Bund (@certbund) <a href=\"https:\/\/twitter.com\/certbund\/status\/1206577492993216520?ref_src=twsrc%5Etfw\">December 16, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>But also the following tweet from the USA indicates that infections can also occur via USB devices.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I think the City of New Orleans learned the lesson <a href=\"https:\/\/twitter.com\/hashtag\/WeaponizedUSBdevices?src=hash&amp;ref_src=twsrc%5Etfw\">#WeaponizedUSBdevices<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/MaliciousUSBimplants?src=hash&amp;ref_src=twsrc%5Etfw\">#MaliciousUSBimplants<\/a><a href=\"https:\/\/twitter.com\/hashtag\/WHIDelite?src=hash&amp;ref_src=twsrc%5Etfw\">#WHIDelite<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/WHIDinjector?src=hash&amp;ref_src=twsrc%5Etfw\">#WHIDinjector<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/USBsamurai?src=hash&amp;ref_src=twsrc%5Etfw\">#USBsamurai<\/a> <a href=\"https:\/\/t.co\/B97da2B6uU\">pic.twitter.com\/B97da2B6uU<\/a><\/p>\n<p>\u2014 WHID Injector (@WHID_Injector) <a href=\"https:\/\/twitter.com\/WHID_Injector\/status\/1206653595787169793?ref_src=twsrc%5Etfw\">December 16, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>To minimize the damage in case of an infection, administrators and computer users should have emergency instructions on how to act in case of suspected infection. Within the following tweet Catalin Cimpanu recommended not to restart the system after an infection.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Experts: Don't reboot your computer after you've been infected with ransomware<a href=\"https:\/\/t.co\/Yzs6CfWAPH\">https:\/\/t.co\/Yzs6CfWAPH<\/a> <a href=\"https:\/\/t.co\/Ne0AwjVrdz\">pic.twitter.com\/Ne0AwjVrdz<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1191739515028852737?ref_src=twsrc%5Etfw\">November 5, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>Instead switch to the Hibernate mode, cut the network connection and let a specialist check the isolated system for a possible infection. It will be also a good idea, to read the <a href=\"https:\/\/borncity.com\/win\/2019\/12\/07\/faq-reagieren-auf-eine-emotet-infektion\/\">FAQ: Responding to an Emotet infection<\/a> and prepare for the emergency case. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]In the last few days there have been a number of reports of cyber incidents in German institutions that are attributed to the emotet Trojan\/Ransomware. The BSI warns of the danger, especially since spam mail is sent 'on behalf of &hellip; <a href=\"https:\/\/borncity.com\/win\/2019\/12\/21\/cert-bund-bsi-warnung-vor-emotet-trojaner-ransomware\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-12426","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12426"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12426\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}