Defeat Emotet Malware with SSL Interception – No Mask Needed - Image by Sammy-Williams from PixabayThe Emotet trojan recently turned from a major cybersecurity threat to a laughingstock when its payloads were replaced by harmless animated GIFs. Taking advantage of a weakness in the way Emotet malware components were stored, white-hat hackers donned their vigilante masks and sabotaged the operations of the recently revived cyberthreat. While highly effective, as well as somewhat humorous, the incident should not distract attention from two unavoidable truths.

First, while the prank deactivated about a quarter of all Emotet malware payload downloads, the botnet remains a very real, ongoing threat and a prime vector for attacks such as ransomware. And second, relying on one-off operations by whimsical vigilantes is hardly a sustainable security strategy. To keep the remaining active Emotet botnets—and countless other cyberthreats—out of their environment, organisations need to rely on more robust and reliable measures based on SSL interception (SSL inspection) and SSL decryption.

History of Emotet and the threat it presents 

The first version of Emotet was First identified in 2014. It was designed to steal bank account details by intercepting internet traffic. A short time after, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with several modules. These included a money transfer system, malspam module, and a banking module that targeted German and Austrian banks. Last year, we saw reports of a botnet-driven spam campaign targeting German, Polish, Italian, and English victims with craftily worded subject lines like “Payment Remittance Advice” and “Overdue Invoice.” Opening the infected Microsoft Word document initiates a macro, which in turn downloads Emotet from compromised WordPress sites.

After a relatively quiet start to 2020, the Emotet trojan resurfaced suddenly with a surge of activity in mid-July. This time around, the botnet’s reign of terror took an unexpected turn when the payloads its operators had stored on – poorly secured WordPress sites – were replaced with a series of popular GIFs. Instead of being alerted of a successful cyberattack, the respective targets received nothing more alarming than an image of Blink 182James Franco, or Hackerman.

While this is all in good fun, there is a serious question here. What if the white hats had left their masks in the drawer instead of taking on the Emotet trojan? And what about the countless other malware attacks that continue unimpeded, delivering their payloads as intended?

A view into the encryption blind spot with SSL interception (SSL inspection) 

Malware attacks such as Emotet often take advantage of a fundamental flaw in internet security. To protect data, most companies routinely rely on SSL encryption or TLS encryption. This practice is highly effective for preventing spoofing, man-in-the-middle attacks. It also stops other common exploits from compromising data security and privacy. Unfortunately, it also creates an ideal hiding place for hackers.

To security devices inspecting inbound communications for threats, encrypted traffic appears as gibberish—including malware. More than half of the malware attacks seen today are using some form of encryption. As a result, the SSL encryption blind spot ends up being a major hole in the organisation’s defence strategy.

The most obvious way to address this problem would be to decrypt traffic as it arrives. It enables SSL inspection before passing it along to its destination within the organisation—an approach known as SSL interception. This brings its own problems. Some types of data are not allowed to be decrypted, such as the records of medical patients governed by privacy standards like HIPAA. It makes across-the-board SSL decryption unsuitable.

SSL decryption can also greatly degrade the performance of security devices while increasing network latency, bottlenecks, cost, and complexity. Multiply these impacts by the number of components in the typical enterprise security stack—DLP, antivirus, firewall, IPS, and IDS—and the problem becomes clear.

How efficient SSL inspection saves the day 

Many organisations rely on distributed per-hop SSL decryption. A single SSL inspection solution can provide the best course of action by decrypting traffic across all TCP ports and advanced protocols like SSH, STARTTLS, XMPP, SMTP and POP3. This solution also provides network traffic visibility to all security devices, including inline, out-of-band and ICAP-enabled devices.

We should celebrate the work of the white hats who restrained Emotet. It is not every day that a lethal cyberthreat becomes a matter of humour. But having had a good laugh at their expense, we should turn our attention to making sure that attacks like Emotet have no way to succeed in the future—without the need to count on vigilante justice. This is where SSL inspection can really save the day.


A10 Networks Logo

A10 Networks (NYSE: ATEN) provides Reliable Security Always™, with a range of high-performance application networking solutions that help organisations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.

Previous articleFacebook claims iOS 14 will hurt ad revenue
Next articleUnit4 grows and builds for future growth
Adrian Taylor, Regional Vice President of Sales at A10 Networks
Adrian is an established sales leader with over 25 years’ experience in developing global and multinational accounts, across a wide range of emerging networking technologies. Joining A10 Networks in September 2018, Adrian is responsible for driving growth through direct customer engagements, as well as leveraging channel, service provider and technology partnerships. Before moving into his new role, Adrian spent over three years leading software sales at Brocade, which was later acquired by Pulse Secure. Prior to this, he spent 13 years in senior positions at Cisco, where he first developed a strong understanding of cloud computing, while managing teams across EMEA and Russia, and driving a large proportion of channel and cloud sales for the business. Always one for a challenge, Adrian likes to push the limits within his role and explore new ways of driving A10 Networks’ product sales forward, while finding new and disruptive routes to market.

LEAVE A REPLY

Please enter your comment!
Please enter your name here