The Resurgence of EMOTET Trojan Activity

LBMC has noticed an increase in EMOTET Trojan activity recently. This is consistent with reports from other security researchers confirming similar increased EMOTET activity. EMOTET has historically targeted banks to steal information, however, newer versions are targeting various sectors, such as healthcare, food and beverage, and manufacturing. We are also seeing the malware target different geographic regions than previous variants, with the majority of infections now located in the United States.

This time around, EMOTET has been spreading via spam bots delivering phishing emails that claim to be a payment notification or invoice. If a user follows the instructions and clicks the malicious URL located within in the email, a malicious document will be downloaded and will install the malware. The newer variants also have the ability to propagate through a network by brute forcing accounts using a dictionary attack. EMOTET has been seen distributing various payloads to victims in attempt to harvest information.

LBMC utilizes a variety of sources for threat intelligence to actively gather and block the latest domains and IP addresses that are reported for botnet activity and for serving malware such as EMOTET. In addition, LBMC has signatures to detect the presence of EMOTET on infected systems and considers its detection a high priority. LBMC can also detect spam bots within a network and reports this activity immediately. We recommend that users verify the source of an email before clicking any of the included links or opening any attachments, especially if an email seems unwarranted.

More information can be found at the following sites:

Apache Struts Activity

As we have been reporting since March, we continue to see attackers targeting Apache Struts vulnerabilities, specifically CVE-2017-5638. The activity has declined slightly over the past couple of months, but the Equifax breach announcement in early September has brought this back to the forefront (An Apache Struts vulnerability is reportedly the initial attack vector used by the Equifax attackers).

If your organization utilizes Apache Struts, we strongly recommend you prioritize updating the application to the most current version. At least two Struts vulnerabilities (CVE-2017-9805 & CVE-2017-12611) have been released already in September. Both can result in attackers gaining the ability to remotely execute code of their choosing on the vulnerable server.

Details on the two newly released vulnerabilities is located on the Apache Struts site:

MAJOR NEWS STORIES

Equifax Data Breach Compromises Information for 143 Million Americans

Equifax, one of three main credit bureaus in the U.S., disclosed a data breach affecting 143 million Americans—nearly half of the country’s population. The company stated that attackers have leveraged a vulnerable web application to access consumers’ sensitive data, such as names, social security numbers, addresses, birth dates, and driver’s license numbers. Equifax also announced that approximately 209,000 credit card numbers were exposed. Equifax has confirmed that the attackers exploited a vulnerability in Apache Struts (CVE-2017-5638) which was made public in March 2017. The company is now referring individuals to https://www.equifaxsecurity2017.com to check if their information has been impacted by the incident.

More information on this event is located at:

St. Jude Recalls 465,000 Pacemakers Due to Security Vulnerabilities

In order to remediate a security vulnerability that could allow unauthorized access, St. Jude Medical (now Abbott Laboratories) is recalling 465,000 pacemakers in the U.S. to install a firmware update. The FDA approved the firmware update on August 23rd.  The update adds capabilities to pacemakers, such as data encryption and authorization requirements for any external device that communicates with the pacemaker. Because the update cannot be applied remotely, patients will need to visit a healthcare provider in order to receive the update.

For more information on this, please visit:

Time Warner Cable Data Breach Exposes 4 Million Customer Records

Researchers from Kromtech Security Center discovered two Amazon Web Services (AWS) S3 buckets with Time Warner Cable customer information available to the public. Sensitive information, such as usernames, transaction IDs, MAC addresses, serial numbers, and account numbers were viewable without authentication until researchers from Kromtech notified Time Warner of the incident. After investigating, the misconfigured AWS S3 buckets were linked to software and service provider BroadSoft.

More information regarding this incident can be found at: