The name says it all: "Complete shutdown of operations" is probably the best way to translate "Full Operational Shutdown". The second report of the Microsoft security response team DART deals in a case study with an organization infested by Emotet. He explains what measures the security experts had to take and once again urges more efforts to be made in the known best practices.
It was only a few days before the polymorphic Emotet virus had paralyzed all the essential IT structures of the "Fabrikam" company and caused millions of euros in damage. Microsoft chose the fictional name Fabrikam for his report (PDF file), the example is based on the problems in the systems of the US city of Allentown in winter 2018, which resulted in a DDOS attack, the takeover of almost 200 surveillance cameras and one Total loss of control over city IT culminated.
Total loss of control
Microsoft's security experts came into play after a week, when the Windows domain and network were largely unusable and even a basic overview of the current approach of the attackers was impossible. During the analysis later, a single but successful phishing email was identified as the trigger for the break-in.
The DART team, which provided both local and remote support for the affected users, had to confirm the loss of control over IT. The only improvement was a completely redesigned IT architecture with buffer zones, which successfully prevented the malware from spreading again. Only then was the DART able to upload antivirus signatures and repair the Microsoft System Center Configuration Manager.
Strong warning: "Please use email filters and 2FA"
The DART uses "Full operational shutdown"to emphasize the importance of email filters and two-factor authentication. This would have prevented a lot of damage in the present case.
Like the previous study "And then suddenly there were six"Microsoft sees the core of the problem in insufficiently implemented or not adhered to best practices in companies and organizations. In the first study, missing logging and auditing had enabled APT attackers to act for months. Only when the team came into play because of a security incident came, it came out that not one attacker but six independent intruders were up to mischief in the local network.
. (tagsToTranslate) Emotet (t) Malware (t) Microsoft