One recent example of this was when attackers used the Emotet malware family as a distributor to circulate highly targeted ransomware named Ryuk across multiple organizations (here’s more on the Ryuk ransomware).
The group behind Emotet, Mealybug, has taken the business model of selling a malware distribution platform to the highest bidder. Emotet malware has now deployed multiple types of malware including the IcedID banking trojan, trickbot as well as various forms of ransomware.
For the attackers, one of the main benefits of the Emotet malware is that it contains network worm capabilities (similar to WannaCry and Petya/NotPetya) that distributes the product across the corporate network to other endpoints as well as to servers.
Once the Emotet malware has a foothold in the network, it is able to download and execute additional payloads and communicate back to a C2 server sending relevant information back to the attackers.
The Worm At Work
The Emotet malware infects the initial device by using a phishing attack containing an Office file with a macro code which is used to download the initial payload.
Once the first machine is infected with the initial payload, two things happen:
The Emotet malware uses its worm-like capabilities to spread within the organization.
The Emotet malware waits for an additional payload with which to infect the victim.
Emotet’s worm capabilities make use of an NTLM over SMB bruteforce to find admin privileged credentials or writable SMB shares and then spreads itself to other hosts on the network.
(Source: McAfee, "Emotet Trojan Acts as Loader, Spreads Automatically")
In most cases, the attacker’s goal is to gain access to sensitive resources to either:
Gain persistence in the environment. In such cases, sensitive IT services may be targeted, such as the Active Directory, PAM vaults, jump boxes, management servers, etc.
Retrieve or destroy sensitive information. In such cases, services hosting data are targeted (file servers, ERP, PoS services, etc.).
Without the network level access which allows the Emotet malware (and many other malware types) to propagate across the network,the distribution and impact of such malware on your network and resources can be significantly limited even after the initial device has been infected.
Zero Trust Fighting Malware Distribution
This is where one of the core principals of Zero Trust access comes into play - never allow wide network access. Luminate takes this even one step further by removing ALL types of network level access and allowing only the application layer (http, SSH, etc.) access between the end user and the resource.
This means that in the Emotet example, the malware would have nowhere to distribute itself from the initial point of infection, limiting its reach to the endpoints which have been compromised via the phishing campaign and making sure that your sensitive resources (servers, VMs, etc.) are protected from infection.
Another benefit of completely removing the network level access to your datacenters is the prevention of malware leveraging network exploits. These exploits require Layer3 (IP)/Layer4 (TCP/UDP) network access, as was the case of Petya/NotPetya which used the MS17-10 exploit in combination with other network-level access attempts to spread itself across the network.
Want to make sure your IT’s access strategy is capable of beating today's advanced attacks? Follow the 10 steps in this guide to evaluate your current access strategy to corporate applications.