Show vulnerabilities with patch / with exploit
6 April 2020

Emotet attack took down an entire network by overheating PCs


Emotet attack took down an entire network by overheating PCs

An organization’s entire IT-network was taken down by overheating computers due to an Emotet malware after one of its employees got tricked into opening a phishing email attachment, according to a case study shared by Microsoft’s Detection and Response Team (DART).

“After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services. The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week,” DART said.

Fabrikam's systems (a fake name Microsoft gave the victim in their case study) got infected with the Emotet malware after one of the employees opened a file attached to a phishing email, thus allowing the attackers to steal their credentials.

Four days after gaining a foothold in the network, the threat actor used their control over the employee’s computer to start sending out phishing emails to other people within the Fabrikam network.

“Fabrikam didn’t have any network visibility tools in place, so for the next twenty-four hours Emotet wormed its way through its infrastructure without raising any red flags. Then, the threat actor brought the whole network down,” according to DART.

Within eight days since the malicious attachment was opened, Fabrikam's entire network came to a standstill, including the 185-surveillance camera network, with computers overheating, freezing, and rebooting because of blue screens, and Internet connections slowing down because of Emotet devouring all the bandwidth.

Furthermore, Fabrikam’s finance department couldn’t complete any external banking transactions, and partner organizations couldn’t access any databases controlled by Fabrikam.

Microsoft experts managed to control the Emotet infection by using asset controls and buffer zones that isolated assets with admin privileges. The team eventually was able to completely eradicate the Emotet infection after uploading new antivirus signatures.

Back to the list

Latest Posts

Vulnerability summary for the week: May 29, 2020

Vulnerability summary for the week: May 29, 2020

Weekly vulnerability digest.
29 May 2020
Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

NTT Communications said hackers gained access to its internal network and stole information on 621 customers.
29 May 2020
Sandworm hacking group exploiting Exim flaw since at least 2019

Sandworm hacking group exploiting Exim flaw since at least 2019

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the vulnerability.
29 May 2020