Emotet Is Back and It’s Targeting Local and State Governments, CISA Warns


The Emotet botnet is picking up steam again, according to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA). The agency directly warns state and local governments because they appear to be the main targets.

Emotet is a trojan that spreads mainly through phishing campaigns and links. When the victim clicks on the link, the payload launches and the malware attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives.

“Emotet resurged in July 2020, after a dormant period that began in February,” says the advisory. “Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.”

Due to the malware’s design, Emotet continues to persist because it can infect entire networks. Moreover, it uses modular Dynamic Link Libraries to evolve and update its capabilities continuously.

CISA’s intrusion system has detected approximately 16,000 alerts related to Emotet activity since July 2020. The campaign has used Microsoft Word email attachments in phishing emails as the principal infection vector, and the situation drastically changed in August as “security researchers observed a 1,000 percent increase in downloads of the Emotet loader.”

The US isn’t the only country targeted by campaigns, with Canada, France, Japan, New Zealand, Italy and the Netherlands observing similar incidents.

CISA also released signatures to allow cybersecurity companies to detect the threat more easily and published a huge list of possible mitigations, some of which are useful in many situations, not only for Emotet.

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway and block suspicious IP addresses at the firewall.
  • Adhere to the principle of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
  • Segment and segregate networks and functions.
  • Limit unnecessary lateral communications.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Enforce multi-factor authentication.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
  • Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to suspicious or risky sites.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.