Defeat Emotet Malware with SSL Interception – No Mask Needed

The Emotet trojan recently turned from a major cybersecurity threat to a laughingstock when its payloads were replaced by harmless animated GIFs. Taking advantage of a weakness in the way Emotet malware components were stored, white-hat hackers donned their vigilante masks and sabotaged the operations of the recently revived cyberthreat. While highly effective as well as somewhat humorous, the incident shouldn’t distract attention from two unavoidable truths.

First, while the prank deactivated about a quarter of all Emotet malware payload downloads, the botnet remains a very real, ongoing threat and a prime vector for attacks such as ransomware. And second, relying on one-off operations by whimsical vigilantes is hardly a sustainable security strategy. To keep the remaining active Emotet botnets—and countless other cyberthreats—out of their environment, organizations need to rely on more robust and reliable measures based on SSL interception (SSL inspection) and SSL decryption.

What is Emotet Malware (a.k.a. Emotet Trojan) and is it a Threat?

White hat countermeasures notwithstanding, emotet malware is one of the most significant threats facing companies today. Before going temporarily inactive in February 2020, the Emotet botnet had been the world’s largest and most active cybercrime operation, as seen below.

The method it used was simple and all too familiar: spam emails targeted users with seemingly business-related links or Word attachments that actually contained malicious macros designed to download and install the Emotet trojan on the user’s device. Having connected to an Emotet trojan command and control server, the device would then serve as a conduit for ransomware or other exploits, including Qbot, IcedID, Gootkit, and The Trick.

After several months without an incident, the Emotet trojan resurfaced suddenly with a surge of activity in mid-July 2020. This time around, the botnet’s reign of terror took an unexpected turn when the payloads its operators had stored on – poorly secured WordPress sites – were replaced with a series of popular GIFs. Instead of being alerted of a successful cyberattack, the respective targets received nothing more alarming than an image of Blink 182, James Franco, or Hackerman.

Emotet malware payloads replaced with animated GIFs
Emotet malware payloads replaced with animated GIFs

It’s all in good fun … this time. But the question remains: what if the white hats had left their masks in the drawer instead of taking on the Emotet trojan? And what about the countless other malware attacks that continue unimpeded, delivering their payloads as intended?

View into the Encryption Blind Spot with SSL Interception (SSL Inspection)

Malware attacks such as Emotet often take advantage of a fundamental flaw in internet security. To protect data, most companies routinely rely on SSL encryption or TLS encryption. This practice is highly effective for preventing spoofing, man-in-the-middle attacks, and other common exploits from compromising data security and privacy. Unfortunately, it also creates an ideal hiding place for hackers. To security devices inspecting inbound communications for threats, encrypted traffic appears as gibberish—including malware. In fact, more than half of the malware attacks seen today are using some form of encryption. As a result, the SSL encryption blind spot ends up being a major hole in the organization’s defense strategy.

The most obvious way to address this problem would be to decrypt traffic as it arrives to enable SSL inspection before passing it along to its destination within the organization—an approach known as SSL interception. But here too, problems arise. For one thing, some types of data aren’t allowed to be decrypted, such as the records of medical patients governed by privacy standards like HIPAA, making across-the-board SSL decryption unsuitable. And for any kind of traffic, SSL decryption can greatly degrade the performance of security devices while increasing network latency, bottlenecks, cost, and complexity. Multiply these impacts by the number of components in the typical enterprise security stack—DLP, antivirus, firewall, IPS, and IDS—and the problem becomes clear.

A10 Networks’ SSL Inspection Product Saves the Day

A10 Networks Thunder® SSL Insight (SSLi®) eliminates the SSL encryption blind spot to enable effective SSL interception. Instead of relying on distributed, per-hop SSL decryption, organizations can use a single Thunder SSLi solution to decrypt traffic once, allow SSL inspection by as many separate security devices as needed in tandem, and then re-encrypt it once on the way out of the network. To ensure regulatory compliance, the solution also allows SSL decryption policies to selectively bypass traffic for specific web pages and domains while making sure that everything else is decrypted.

We should celebrate the work of the white hats who pwned Emotet. It’s not every day that a lethal cyberthreat becomes a matter of levity. But having had a good laugh at their expense, we should turn our attention to making sure that attacks like Emotet have no way to succeed in the future—without the need to count on vigilante justice.


|

July 29, 2020

About A10 Staff