Emotet botnet harvested 4.3 million email addresses. Now the FBI is using Have I Been Pwned to alert the victims
The FBI has shared 4.3 million email addresses stolen by the Emotet malware with the Have I Been Pwned breach notification site in another effort to remediate the effects of the devastating botnet.
The email
addresses come from mail servers compromised by Emotet as well as end-user
computers on which the malware had scraped credentials out of victims'
browsers, says Troy Hunt,
an Australian computer security expert who runs HIBP.
It’s the first
time the FBI has asked Hunt's service to assist in notifying victims, says
Hunt, who wrote a blog post about
the move.
In 2018, the Estonian Central
Criminal Police supplied HIBP with 655,000 email addresses that
came from several breaches to avoid directly sending out its own breach
notifications, which could have been mistaken for phishing emails, Hunt says.
Hunt says the
Emotet data will help victims take prompt action to ensure their online
accounts have strong, unique passwords that are not reused across services.
Emotet: Destructive Malware
The Emotet
botnet was disrupted in January in a coordinated action undertaken by the U.S.,
the U.K., the Netherlands, Canada, France, Germany, Sweden, Lithuania and
Ukraine. Law enforcement agencies identified 1.6 million computers worldwide
that were infected with the malware between April 2020 and January 2021, and
45,000 of those machines were in the U.S.
Europol called Emotet
"one of the most professional and long-lasting cybercrime services."
The malware caused hundreds of millions of dollars in damages, the U.S. Justice
Department said in January
The malware,
which emerged around 2014, primarily spread through spam messages containing
malicious links or attachments. It harvested victims' email contact lists to
send itself out and to look less suspicious to recipients.
Emotet was a
"dropper," or first-stage malware, that maintained access to a
person's computer. Those who controlled Emotet could sell access to those
computers to other players in the cybercrime economy, including ransomware
gangs.
Soon after Emotet's
infrastructure was disrupted by law enforcement officials, agencies launched an
effort to remediate infected computers.
Around Jan. 26,
law enforcement agencies used some of Emotet's infrastructure to push what was
referred to as a "law enforcement file" to infected computers,
according to an FBI affidavit released
by the Justice Department. That disconnected infected computers from the
botnet.
That code, a customized
DLL file called EmotetLoader.dllsent, was also designed to remove the
infection. In a blog post on Monday, the computer security firm Malwarebytes writes
that it was coded to uninstall Emotet completely by April 25, an action that
has taken place (see: Emotet Malware Automatically Uninstalled).
Emotet Breach 'Sensitive'
Even with
remediation of the infections, there's still the problem of account credentials
that have been compromised by Emotet. Law enforcement agencies have been
working to notify anyone whose devices might have been infected by Emotet.
The Netherlands
created a service in which an individual could enter their email address to see
if their machine had been infected. If a positive result was found, a
notification was emailed to the person a few minutes later, according to Dutch police.
After the
initial shutdown of Emotet, Dutch police continued to find email addresses
indicating that computers had been infected. On Feb. 3, 3.6 million more email
addresses were found, which Dutch police added to their checker.
The entry of the
email addresses into Have I Been Pwned, however, means that there is a higher
chance that those affected by Emotet can be reached.
Hunt has
classified the data as "sensitive." Anyone can enter anyone's email
address into HIBP and see if the email address has been exposed in any of the
breaches that have been indexed. But Hunt restricts what HIBP returns for
certain types of sensitive breaches, such as Emotet. In those instances, a user
must verify their email address or control of a domain.
Hunt took this
same step for the 2015 breach affecting Ashley Madison, the dating site for
married people.
The Emotet
situation differs from other breaches, Hunt says. The fact that someone's email
addresses has shown up in the Emotet data means their computer was infected
with malware. That fact could expose shortcomings in someone's security
posture, and Hunt says he didn't want that to be discoverable through HIBP.
"The
implication here is someone's personal security has been compromised, not just
an online account," Hunt says. "I didn't want to make anyone a
greater target."
Hunt says that
beyond email addresses, he doesn’t have any more information, such as when a
particular machine was infected or what other data might have been compromised.
Comments
Post a Comment