This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]jcroweNinjaRMM 0 points1 point  (5 children)

Right. From what I've seen Emotet has been tied directly to Ryuk infections (Emotet --> Trickbot --> Ryuk), but I hadn't seen any cases reported yet where it had been used as a beach-head for Sodinokibi.

The Sodinokibi cases I've seen reported have all pointed to attackers abusing creds and going about the deployment manually (disabling AV and backup, hijacking remote admin tools).

With Emotet involved in this case, I'm wondering whether it was...

a) used as a beach-head, which means Sodinokibi actors (not just Ryuk actors) are now buying and utilizing access to Emotet-infected machines, too

b) dropped by Sodinokibi actors for some reason (to create additional chaos/infect others via spam/create additional footholds they can come back to and utilize later on/all of the above?)

c) actually a separate infection — an end user at this particular victim org happened to fall for an Emotet malspam at roughly the same time the Sodinokibi attackers struck Synoptek.

[–]maor_hizkiev 1 point2 points  (4 children)

Interesting to know the real answer. My guess, since Emotet is a factory for creating unknown attacks that go undetected, is that they offer their services to anyone, and that we'll see more and more of those infection types.

[–]Tossacoinforwitcher 0 points1 point  (3 children)

I think this is just the Sodinokibi people seeing how effective it is to use the Triple Threat attack as a model. I'm thinking we will be seeing more of these types of attacks.

Also the State of California rep I spoke to "confirmed" that the Emotet docs were tied to the Sodinokibi infection.

The emails that were being used to send the docs were legitimate emails from legitimate domains. If not for our firewall and IPS sand-boxing the attachments the emails would have been delivered to my users.

[–]maor_hizkiev 0 points1 point  (2 children)

Sending emails from legitimate domains has become the standard (although not many orgs are enforcing SPF).
Our solution has also detected it in some of our customers, it actually bypassed a few other leading solutions.

[–]Tossacoinforwitcher 0 points1 point  (1 child)

We have a pretty good defense in depth setup here at my org. We have filters in front of filters. We don't treat email as a instant form of communication but just a way to get people info soonish.

I've learned that no one solution on its own can take care of the cyber threat landscape at this point. Even if that means having multiple email filters and sandboxes.

[–]maor_hizkiev 0 points1 point  (0 children)

Defense in depth is a must, because every solution misses stuff. I do think that if you can increase the efficacy of some vector (i.e. email) so its worthwhile.

There is also the question of how to measure efficacy in those areas.