When your local county get's Emotet
Back in 2017 I personally reached out to the county to talk about a wireless project that I wanted to kickoff to spur development in my county (Currituck, NC). I was referred to the county development folks and then had several meetings with the county and the economic development folks here locally. As part of my outreach to try and see if the county had resources I was put in touch with Larry Lombardi who is the Currituck County Economic Development Directory.
Mr Lombardi was very helpful and pointed me in the right direction. I went on my way and didn't think much of it until a few weeks ago. I started getting tons of emails some of which originated from foreign servers in South Korea, Brazil and elsewhere. As a cyber security company we see this type of activity at our customers all the time and our email defenses correctly moved these messages to a folder for suspicious messages so I didn't realize what was happening until recently.
Apparently at some point the county had a few workstations breached and the address books of several people including Mr. Lobardi began showing up on the dark web along with all of his contacts (including my email address).
It appears as though the information stolen has been used to try and infect others with sophisticated APT like malware just like what I suspect the county itself was hit with for this incident to have started in the first place. Upon reviewing several of the messages it was easy to see that they were being spoofed and that targeted messages were being forwarded to everyone in Mr. Lombardi's address book. Which begs that question, if the county was infected, how have they cleaned up this incident?
AGAIN NO DISRESPECT TO LARRY - HE DOES A LOT FOR THIS COMMUNITY
Let's have a look at the activity
As you can see from the emails above I had communicated with Mr Lombardi in 2017 and early 2018 concerning wireless. These are legitimate emails between him and I with no issue.
Now let's take a look at some of the problem emails that have been flooding in the last few weeks.
The Malicious Attacks
As you can see in this email that address is spoofed and using Larry's name. This is the first indication of an issue and the reason our mail server moved this to a folder for review so that our employees did not click on the attachment above.
Let's analyze the attachment
So digging into the attachment we find a few details that I'll list below.
The source of the email is 108.166.43[.]89
The sender is lolson@finleyelevator[.]com
The mail server that sent us the message is smtp89.ord1c.emailsrvr[.]com
As I mentioned Mr. Lombardi is located in Currituck County and does a great job working to build out infrastructure in our local area. So this next part tells you the extent of the problem. Since Jigsaw Security is a security company and we deal with these types of incidents all the time we thought that we would use this one as an example as to how these attacks are being carried out. By making these messages look like legitimate persons that I would communicate, I suspect the infection rate from the general public would be much higher than what I would see at a security company that blocks this type of activity daily. So here's what we find:
When looking up the IP we determined that it was a Rackspace IP address. Rackspace is a hosting provider and most of their servers are located in Texas. We know this because a few years ago we used this company to host some of our projects. The fact that this is a hosting company in Texas is not that odd as the County may use Rackspace for their hosting (we don't know yet). Next we look at the activity for that server and found that the mail server is not on our list of malicious mail servers so the level of concern for us is less but the level of concern for the county is growing, especially if they utilize Rackspace for their mail servers.
No other information was readily apparent from this first message but it doesn't end there. You may be asking yourself what about the link in the message? Yep we asked ourselves that also and took at look at that as well.
So we looked and BitDefender, Malwarebytes hpHosts and Spamhaus all three identify this as "Malware". This is fully what we suspected. But the interesting thing is not much else is detecting it including antivirus software which explains why the county probably is not even aware of this (they will be because were gonna notify them of this in the morning).
One of the key pieces of information about the link is that it is running on a server with the IP address of 50.116.69[.]89 so let's inspect that and see if we find anything concerning.
As you can see there are a ton of associated malware infections all with low detection pointing to that IP address. Now we know we have a problem to deal with. Here's why:
Targeted Emails using address book contacts
Low detection rates with antivirus products
Jigsaw Security products were aware of the malicious nature and blocked the message (thousands of them in fact)
So looking at this we decided to download the document in a controlled environment and have a look. That's when the alarms went off!
As you can see the macros in the "invoice" document were detected by 22 of 60 antivirus products. We suspect that it is not detected by the counties antivirus because I'm still seeing messages coming in from not only Larry but another person I emailed there all with the same types of attachments.
So to recap we are pretty sure the county has an infected workstation(s) that are the reason for this very targeted malicious email campaign.
IOCS for this incident:
108.166.43[.]89 50.116.69[.]89 9447035f33ab06603adf48898f91768808346147 b3199369bc44253670cafc8f7912a050 http://theaccessibilityhub[.]ca/Aug2018/US/Invoice/invoice lolson@finleyelevator[.]com smtp89.ord1c.emailsrvr[.]com
These are just a few of the IOC's and here are a few more examples we received. Hopefully we can find the infected workstations tomorrow and stop this activity. While we are not being affected by this, some other company or worse yet State employees may be. Hopefully we can get this resolved quickly.
A few More Examples - notice the one that actually says CurrituckCountyNC.Gov.gciamkt? That's why we need to fix this before somebody falls for this nonsense!
Maybe the county could use our mail protection software? We know this is Emotet malware which is very difficult to stop but we hope the county gets some better protection so that they don't inadvertently infect somebody else that may not have caught this activity.
Let's put this in perspective:
According to Jigsaw Security analytics we have observed 600,838 infections of Emotet since 2013. There are literally thousands upon thousands of infected PC's out there so this should be an example as to why Anti-Virus is not enough to protect you from infection. Jigsaw FirstWatch detects and stops this activity before it can do harm to your systems and network.