Microsoft: How one Emotet infection took out this organization's entire network

An Emotet victim's IT disaster shows why organizations should filter internal emails and use two-factor authentication.
Written by Liam Tung, Contributing Writer

Microsoft has detailed the plight of a customer whose entire IT network was brought down after one employee opened a phishing email that delivered the notorious Emotet banking trojan and credential-stealing malware.

Details in Microsoft's account of incident response work for a company it calls 'Fabrikam' line up with a cybersecurity incident disclosed by the US city of Allentown, Pennsylvania, in February 2018, which it expected would cost it $1m to recover from. 

The attack knocked out the city's core systems, including its network of 185 surveillance cameras, Associated Press reported at the time.      

Allentown officials said Emotet was self-replicating and stealing employee login credentials. The city also revealed it paid Microsoft an initial $185,000 emergency response fee to "stop this hemorrhaging". The rest of the $1m would go on recovery costs.

SEE: 10 tips for new cybersecurity pros (free PDF)

According to Microsoft, Fabrikam called in Microsoft's Cybersecurity Solutions Group's Detection and Response Team (DART) eight days after the employee had opened the phishing email, by which time its computers and critical systems were failing and its network bandwidth had been completely overrun by Emotet. 

The malware used the victim's compromised computers to launch a distributed denial of service (DDoS) and overwhelm its network. 

"The virus threatened all of Fabrikam's systems, even its 185-surveillance camera network. Its finance department couldn't complete any external banking transactions, and partner organizations couldn't access any databases controlled by Fabrikam. It was chaos," Microsoft's DART team writes. 

"They couldn't tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an internal virus," it explains further. 

"It would have helped if they could have even accessed their network accounts. Emotet consumed the network's bandwidth until using it for anything became practically impossible. Even emails couldn't wriggle through." 

So what did Fabrikam get for its fee to Microsoft? One DART team went onsite with the victim, while another DART group assisted remotely. 

To gain a view inside the city's systems, DART deployed trial licenses of Defender Advanced Threat Protection, Azure Security Center, Azure Advanced Threat Protection services, and other Microsoft malware-detection tools.  

To stop Emotet infecting and reinfecting machines across the network, the onsite DART team used remote tools to get into Fabrikam's network and create buffer zones that separated systems with administrative privileges. 

SEE: Meet the white-hat group fighting Emotet, the world's most dangerous malware

This approach contained Emotet enough to remove it with antivirus. Microsoft also uploaded antivirus signatures for the malware and began eradicating Emotet. 

Additionally, onsite reverse engineers repaired the Microsoft System Center Configuration Manager, allowing the victim to recover. 

Microsoft points out that Fabrikam failed to meet best practice because its email filters didn't screen internal mails, which allowed Emotet to spread internally without causing alerts. Had it done this, Fabrikam could have gained valuable time to protect administrative directories before they were attacked. 

Microsoft notes that multi-factor authentication could have slowed or stopped Emotet's use of compromised credentials.

Editorial standards