Microsoft’s Cybersecurity Solutions Group’s Detection and Response Team (DART) on Thursday said that its client’s entire IT network was taken down by overheating computers due to an Emotet malware after one of its employees got tricked into opening a phishing email attachment.
The malware went on to infect the systems of Fabrikam (a fake name used by Microsoft for the victim in its case study) by stealing the admin account credentials authenticating itself on new systems.
It later made lateral movements by infecting other systems in the same network. The virus froze core services by maxing out the CPU usage on Windows devices.
“We are glad to share the DART Case Report 002: Full Operational Shutdown. In report 002, we cover an actual incident response engagement where a polymorphic malware spread through the entire network of an organization,” reads the Microsoft DART announcement.
“After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services. The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week.”
According to Microsoft, Fabrikam called in DART eight days after the employee had opened the phishing email. By then, Fabrikam’s entire IT operations came to a standstill including the 185-surveillance camera network due to Emotet malware.
Experts observed that the PCs were overheating, freezing, and rebooting because of blue screens, while Internet connections were slightly slowing down because of Emotet consuming all the bandwidth.
“When the last of their machines overheated, Fabrikam knew the problem had officially spun out of control. ‘We want to stop this hemorrhaging,’ an official would later say,” states DART case study report.
“He’d been told the organization had an extensive system to prevent cyberattacks, but this new virus evaded all their firewalls and antivirus software. Now, as they watched their computers blue-screen one by one, they didn’t have any idea what to do next.”
The malware used the employee’s compromised computers to launch a distributed denial of service (DDoS) and overpower its network.
“Officials announced that the virus threatened all of Fabrikam’s systems, even its 185-surveillance camera network,” DART’s report says.
“Its finance department couldn’t complete any external banking transactions, and partner organizations couldn’t access any databases controlled by Fabrikam. It was chaos.
“They couldn’t tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an internal virus. It would have helped if they could have even accessed their network accounts.
“Emotet consumed the network’s bandwidth until using it for anything became practically impossible. Even emails couldn’t wriggle through.”
Microsoft experts successfully controlled the Emotet infection by using asset controls and buffer zones that isolated assets with admin privileges. They completely removed the Emotet infection after uploading antivirus signatures and deploying trial licenses of Defender Advanced Threat Protection, Azure Security Scan, Azure Advanced Threat Protection services, and other Microsoft special-purpose malware detection tools.
Additionally, onsite reverse engineers repaired the Microsoft System Center Configuration Manager, allowing Fabrikam to be back on its feet.
Microsoft recommends users to use email filtering tools like Office 365 Advanced Threat Protection (ATP) to detect and stop the propagation of the Emotet malware, as well as the use of multi-factor authentication (MFA) to prevent such attacks.