Microsoftโs Cybersecurity Solutions Group’s Detection and Response Team (DART) on Thursday said that its clientโs entire IT network was taken down by overheating computers due to an Emotet malware after one of its employees got tricked into opening a phishing email attachment.
The malware went on to infect the systems of Fabrikam (a fake name used by Microsoft for the victim in its case study) by stealing the admin account credentials authenticating itself on new systems.
It later made lateral movements by infecting other systems in the same network. The virus froze core services by maxing out the CPU usage on Windows devices.
โWe are glad to share the DART Case Report 002: Full Operational Shutdown. In report 002, we cover an actual incident response engagement where a polymorphic malware spread through the entire network of an organization,โ readsย the Microsoft DART announcement.
“After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organizationโs core services. The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the companyโs systems, causing network outages and shutting down essential services for nearly a week.”
According to Microsoft, Fabrikam called in DART eight days after the employee had opened the phishing email. By then, Fabrikam’s entire IT operations came to a standstill including the 185-surveillance camera network due to Emotet malware.
Experts observed that the PCs were overheating, freezing, and rebooting because of blue screens, while Internet connections were slightly slowing down because of Emotet consuming all the bandwidth.
โWhen the last of their machines overheated, Fabrikam knew the problem had officially spun out of control. โWe want to stop this hemorrhaging,โ an official would later say,โ states DART case study report.
โHeโd been told the organization had an extensive system to prevent cyberattacks, but this new virus evaded all their firewalls and antivirus software. Now, as they watched their computers blue-screen one by one, they didnโt have any idea what to do next.โ
The malware used the employeeโs compromised computers to launch a distributed denial of service (DDoS) and overpower its network.
“Officials announced that the virus threatened all of Fabrikamโs systems, even its 185-surveillance camera network,” DART’s reportย says.
“Its finance department couldnโt complete any external banking transactions, and partner organizations couldnโt access any databases controlled by Fabrikam. It was chaos.
“They couldnโt tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an internal virus. It would have helped if they could have even accessed their network accounts.
“Emotet consumed the networkโs bandwidth until using it for anything became practically impossible. Even emails couldnโt wriggle through.”
Microsoft experts successfully controlled the Emotet infection by using asset controls and buffer zones that isolated assets with admin privileges. They completely removed the Emotet infection after uploading antivirus signatures and deploying trial licenses of Defender Advanced Threat Protection, Azure Security Scan, Azure Advanced Threat Protection services, and other Microsoft special-purpose malware detection tools.
Additionally, onsite reverse engineers repaired the Microsoft System Center Configuration Manager, allowing Fabrikam to be back on its feet.
Microsoft recommends users to use email filtering tools like Office 365 Advanced Threat Protection (ATP) to detect and stop the propagation of the Emotet malware, as well as the use of multi-factor authentication (MFA) to prevent such attacks.
