Hornetsecurity Hybrid Cloud Adoption Survey

Hornetsecurity Hybrid Cloud Adoption Survey

Hybrid Cloud: 2 in 3 IT Pros state it’s their Future 

About the hybrid cloud adoption survey 

Migration to cloud technologies has always seemed like an inevitable, yet somewhat far off event. The events of the past two years, however, have accelerated the adoption rate of cloud technology, thanks to the increasing need for remote solutions for businesses and individuals. The road to the cloud has proven to be a bumpy one, with plenty of technical and human challenges that need to be addressed before any company can claim to be completely cloud-native, or even to adopt a hybrid cloud model.  Security, data storage, application compatibility, industry regulations, legacy software – there are a near endless amount of variables that can have an impact on any company’s journey to the cloud. We have lots of content already available in the DOJO on most of these subjects, but we wanted to find out exactly which of those challenges have been the most prevalent in hybrid cloud environments, along with what IT professionals think the future holds for infrastructure. After all, it can be difficult to know exactly when is the right time to transition to cloud technology.  For this reason, we ran a hybrid cloud adoption survey with over 900 IT professionals across the world, and now, we’re ready to share our findings with you. Throughout the rest of this article, you’ll find a detailed breakdown of our findings, but if you’d like more detailed data, you can also take a look at the hybrid cloud survey results.  With that out of the way, let’s get started. 

About the hybrid cloud survey respondents

Before we dive into the results themselves, here’s a breakdown of who our respondents are, for extra context.  Just over half (50.4%) of respondents form part of an internal IT department, while 23.6% are part of an MSP. The rest are split between other roles and business owners who handle their own IT. Most respondents have job duties primarily surrounding system administration or engineering (80.4%), while the rest are responsible for Team Management (19.6%).  We also asked our respondents about how many years of experience they have in the IT industry. Nearly half (45.8%) reported over 20 years of experience in the field. The rest are split between 16-20 years (17.9%), 10-15 years (18.1%), 6-10 years (11.1%) and 1-5 years (7.1%).  In terms of geography, the vast majority of respondents are based in North America (43.8%) and Europe (41.6%). The remaining 14% are split between Asian territories (4.7%), Africa (3.3%), Australia (2.9%), the Middle East (2.1%) and South America (1.7%).  The size of the businesses (by employee count) that our respondents form part of varied between 1-50 (41.7%), 51-200 (23.1%), 201-500 (12.1%), 501-1000 (6.7%), and 1,000+ (16.3%). 
Hybrid Cloud Adoption Survey

2 in 3 IT professionals see hybrid cloud solutions as a permanent destination for infrastructure 

One of the most interesting findings the hybrid cloud survey provided is that while industry sentiment is that cloud infrastructure is the future, 67% of our respondents believe that a hybrid cloud strategy is not a stepping stone to cloud-native infrastructure, but rather, a permanent destination. This is due to specific workloads that will remain on-premise for any number of reasons, which will be explored later.  28.6% of respondents reported that they’ll remain with a hybrid cloud model, only until full cloud adoption becomes available to their workloads. We expect this percentage to grow over the coming years as more commonly found issues related to cloud adoption are solved, such as application compatibility thanks to the advancements in containerisation tech.   The remaining 4.3% of survey respondents said they’ll be remaining 100% on-premise for the foreseeable future, rejecting even a hybrid cloud strategy. When asked for the reasons they’re keeping a fully on-premise infrastructure, these respondents cited the need for full control over their data, security issues, and cost considerations related to cloud services. 

1 in 3 companies cite trust issues with cloud as reason for some workloads remaining on-premise 

34.1% of all our respondents said that ‘Privacy/Trust issues with the public cloud’ are keeping certain workloads on-premise. This sentiment is prevalent across all our respondents, and there is no appreciable difference in trust in the public cloud between those respondents from different territories or company sizes – very clearly indicating that it is a widely-held distrust.   There is, however, a difference in the level of trust in the public cloud between those respondents with more experience and their less seasoned counterparts. Respondents with over 20 years of experience were more likely to express distrust in cloud platforms (33.6%) than those with 1-5 years of experience (24.2%). This indicates that with experience comes more cynicism when it comes to allowing cloud platforms access to company data and operation.  Security and monitoring is one of the chief concerns that many of our respondents had throughout the survey. In fact, when asked about which technical challenges they see in a hybrid cloud model, half (49.3%) of all respondents cited ‘monitoring and security’. This is not only a concern from a cloud platform perspective, but also from a user perspective. 73.1% of all respondents mentioned that they are either using, or planning to use, multi-factor authentication and conditional access as part of their suite of security tools.  There is a clear overall sentiment that as more workloads are shifted into the cloud, the more of a concern control, monitoring and security become, especially when compared with the apparent peace of mind that on-premise infrastructure is associated with. 

Only 5.7% of respondents report no technical difficulties with cloud or hybrid technologies 

Among the reasons that our respondents cited behind having to keep certain workloads on premise, there were two that were more frequently mentioned than trust issues with the cloud. These were ‘legacy systems or software’ and ‘application compatibility’, each being reported by 51.8% and 39.5% of respondents respectively.   This would indicate that even though Microsoft and other cloud platform providers have placed significant resources into providing avenues for IT professionals to modernise their applications and assist in the migration to hybrid cloud architecture, this effort hasn’t resulted in the elimination of related issues.  In fact, when asked what technical difficulties respondents have with cloud technologies, the most common answer provided (48.2%) was ‘technical knowhow or certified staff’. Meaning that even though the technology required to overcome issues related to legacy software and application compatibility are available, many businesses lack the required knowledge and skill to implement them.  There is further evidence of this lack of knowledge, as one third (33.3%) of respondents also cited connectivity as a technical difficulty they have with cloud technologies. Indeed, while connectivity is definitely one of the most challenging aspects of the application of cloud platforms, it can be handled with the correct knowledge and certification.  

Workloads holding full cloud adoption back 

When asked about which specific workloads respondents envisage remaining on-premise, the following data was gathered. 
With regards to ‘print & imaging services’ being the most frequently mentioned workload in the list, it’s likely that many internal IT teams adopt an ‘if it ain’t broke, don’t fix it’ approach to this particular issue, especially since remote access for print services is redundant in most cases. Print services are also a critical end-user service for many organisations, so IT departments likely exercise extra caution before attempting an upgrade so as not to interrupt operation.  Databases and File Storage are also high on the list, with a combination of privacy and performance issues being the main reasons such workloads would remain on-premise for many companies. Industry regulations such as GDPR, HIPAA, CMMC, and others may also be playing a part, as 28.7% of respondents cited these as an obstacle for cloud adoption.  

Companies using MSP services more likely to use cloud solutions vs on-premise 

MSPs will be glad to hear that they’re leading the way when it comes to cloud adoption across the industry. 54.4% of MSPs reported that they see their workloads as ‘mostly in the cloud’ within the next 5 years. They also seem to be pulling their clients into hybrid cloud tech with them, as 51.7% of companies that use MSP services will also be leveraging a hybrid cloud model in the near future. 46.9% of internal IT departments, on the other hand, report that they’ll be ‘mostly in the cloud’ in 5 years’ time.  Trust issues with the public cloud, however, remain relatively constant across all respondents, with 34.4% of internal IT teams reporting that trust issues are an obstacle to cloud adoption, versus 32.5% of professionals that engage an MSP.  In more good news for MSPs, our survey also revealed that 40.8% of respondents that do not form part of an MSP, nor use any MSP services, would consider engaging a Managed Services Provider to assist with the transition from on-premise to a hybrid cloud architecture.  

Most popular containerisation services 

Through the survey, we also wanted to find out which containerisation service holds the most popularity within our base of respondents, since this is one of the key technologies that make a hybrid cloud strategy possible for certain use cases.   We were relatively surprised to find that Docker remains popular among all containerisation tech, with 3 in 10 (30.7%) respondents citing that it’s the technology they either currently use or plan on using within the next 5 years. This stands against 22% of respondents that use Azure Kubernetes Service.  This is especially surprising since Kubernetes with ContainerD is proving to be a more powerful, albeit more complex, containerisation solution. We actually dove into the intricacies of AKS (Azure Kubernetes Service) with Ben Armstrong from Microsoft in an episode of the SysAdmin DOJO Podcast, which you should definitely check out if you’re looking to up your containerisation game. 

Full hybrid cloud adoption survey results 

If you’d like to take a look at the data for yourself, feel free to take a look at the hybrid cloud adoption survey results here. 

Next steps? 

The findings will directly influence the Altaro webinar on 23 March, How Azure Stack HCI is Forcing Changes in your Datacenter. Microsoft MVPs Andy Syrewicze and Carsten Rachfahl will break down Microsoft’s core hybrid cloud solution Azure Stack HCI, what it means for IT Pros and how it will fit into the tech stack long-term. Register for this hybrid cloud webinar > 

FAQs 

What is hybrid cloud and how does it work?

Hybrid cloud is a term used to describe an IT system architecture that utilises a combination of on-premise technology and cloud (public or private) services. A hybrid cloud model allows these systems to interact with each other and share data and resources to support the operation of an IT infrastructure.

What is an example of a hybrid cloud model?

Hybrid cloud models are used in a wide variety of situations. The most common of which is when a business wants to modernise their IT infrastructure, but has certain workloads that must remain in physical data centres due to legacy software or industry requirements.

How do I build a hybrid cloud architecture?

The first step is to become familiar with the providers of hybrid cloud platforms, such as Microsoft Azure, Amazon Web Services, Google Cloud, etc. Each of these providers has their strengths and weaknesses, so finding out what your IT infrastructure requires the most is essential in choosing the right platform. A benefit of cloud technologies is that it doesn’t require hardware installations for trial, so testing different providers to find out which fits your business best is definitely recommended.

What is hybrid cloud and how does it work?

Hybrid cloud is a term used to describe an IT system architecture that utilises a combination of on-premise technology and cloud (public or private) services. A hybrid cloud model allows these systems to interact with each other and share data and resources to support the operation of an IT infrastructure.

What are the benefits of Hybrid Cloud technology?

Benefits of hybrid cloud technology include: Flexibility and scalability. Since they don’t rely on fixed hardware resources, systems operating in hybrid cloud environments can increase and decrease resource allocation depending on the current workload. Cost management. With the amount of different available options and price points for both private and public cloud technology, businesses can pick and choose which applications will be run on which platform based on their needs and budgets. Security and monitoring. Native and third party security suites and monitoring software is widely available for most major cloud platforms that make them a preferable choice for businesses that need the accessibility of cloud services for sensitive data. Control and customisation. With the vast amount of integration options available for cloud platforms, IT can take the shape of whatever specific infrastructure is required by the business. Reliability and resiliency. Thanks to the decentralised nature of several cloud services, downtime is exceptionally rare, and data loss due to hardware failures is practically non-existent. Recovering any lost data is also a pain-free process in the majority of cases.

What is a hybrid cloud approach used for?

Frequently changing workloads for applications that require the scalability of cloud technology, and the security of on-premise or private cloud storage. High levels of data processing – processing large amounts of data usually occurs in waves. Hybrid cloud platforms allow external resources to be allocated at a lower cost than other solutions. Migrating to cloud technology – Thanks to its flexibility, many businesses are using a hybrid cloud approach until all their workloads can be completely shifted into the cloud due to financial or technological constraints. Future-proofing – no business knows exactly what it will require down the road, and a hybrid cloud approach allows businesses to be agile and reactive with their IT resources in ways that were previously impossible.
1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds

Email security is one of the main topics of concern for any IT department, and for good reason. Security breaches often lead to loss of sensitive data, operation downtime, and lost revenue. So we conducted an email security survey of 420+ businesses, and found that 23% of them, or 1 in 4, reported an email-related security breach. Of these security breaches, 36% were caused by phishing attacks targeting arguably the weakest point of any security system, end users.

The survey also examined how companies operating on the Microsoft 365 platform handle email security, and whether or not they use the baked-in Microsoft 365 security tools, or resort to third-party solutions. It is important to keep in mind that the results reveal the number of security breaches that respondents were aware of, and that often potential security breaches are reported months after they occur, missed completely, or not reported at all.
Reported Email Security Breach

What’s the main cause of email security breaches?

Of the security breaches respondents reported knowing about, 36% were caused by phishing attacks specifically targeting end users. More surprising is that 62% of all reported email security breaches occurred due to user-compromised passwords and successful phishing attacks.
User Compromised PW and Phishing Attacks
This fact reconfirms what many already think to be true – that your email security functions are only as useful as the training provided to end users to use said functions correctly and responsibly.

Use of Microsoft 365 Security Features

Keeping this data in mind, we then wanted to quantify and understand what companies are doing to bolster their email security. We asked a series of questions around most of the security features currently built into Microsoft 365. More specifically, we asked whether companies are using them, and if not, why. Here’s what we found:

● 1/3 of companies do not enable Multi-Factor Authentication for all users
● More than half (55%) of those who use MFA do not use Conditional Access
● 69% of respondents do not digitally sign messages
● 58% of respondents do not use encrypted email

Do not enable MFA for users
These issues are also compounded by the fact that 57% of our respondents also mention that they do not leverage Microsoft 365 Data Loss Prevention policies and 23% of these point to a lack of knowledge about the implementation of such policies as the reason.
Leverage DataLoss Prevention Policies

68% of companies expect Microsoft 365 to keep them safe from email threats, yet 50% use third-party solutions

There seems to be a disconnect between the expectations that businesses have of Microsoft 365’s email security, and the reality: While 2 out of every 3 expect Microsoft to keep them safe from email threats, half of all respondents resort to third-party solutions to supplement email security.
MS Keeping Safe from Email Threats
MS Email Security Features Licensing

Third-Party Solutions most effective, with 82% reporting no breaches

Those that use third-party solutions reported the lowest rate of email security breaches in comparison to organizations using security packages offered by Microsoft 365. An impressive 82% of all our respondents who use third-party email security solutions reported no breaches.
82 Percent report no Security Breaches
Additionally, of those who reported paying extra for Microsoft’s Enterprise Mobility & Security E3 or E5, 48% also use third-party solutions. So while expectations of Microsoft 365’s email security are high, the reality is most companies believe it’s not enough; and the numbers back up that claim.

Which companies are the most vulnerable to email security threats?

For context, here is some geographical data about our respondents: the overwhelming majority (63.8%) hail from North America, with Europe trailing at 26.5%. The rest are split between Asia (3.5%), Africa (2.9%), Australia (1.3%), Latin America (1.3%), and the Middle East (0.5%).
74% of all security breaches reported in this survey were by companies that fell within two company size brackets. Those with 201-500 employees and 501-1000 employees. This is likely due to a combination of factors such as budget and recruitment priorities that do not recognize digital security as a major concern at the outset.
Reported Breaches based on Company Size
Once the employee count exceeds 1,000, the incidence of an email breach decreases to 17% – probably due to reactions to previous security concerns and the ability to invest in more robust security protocols and more advanced IT infrastructure. Illustrating this point is the fact that companies with 1,001+ employees are 11% more likely to have MFA enabled for all users than those with 201-500 employees.
Here’s another interesting tidbit: North American respondents reported 5% more email security breaches than their counterparts in Europe. Yet both regions use Multi-Factor Authentication at the same rate: 68%. This could be due to the fact that US breaches tend to yield much higher payouts, so US organizations might be targeted more aggressively.

How do companies feel about storing sensitive data on Exchange Online & Microsoft 365?

MS365 and MS Exchange Security Concerns
The majority of respondents reported no concerns with storing sensitive data, but it results that nearly 4 of every 10 companies do not store sensitive data using the Microsoft 365 platform due to data security concerns. That percentage is not insignificant considering that platforms such as Microsoft 365 are critical to most company operations.

Cyber threats on the rise – additional security layers strongly recommended for Microsoft 365

Microsoft is considered the biggest driver of the cloud movement and Microsoft 365 has brought the world’s most-used office suite to the cloud. Both critical and sensitive files are uploaded and exchanged every day by millions of business customers in the Microsoft suite – and cybercriminals are aware of this. The risks of cyberattacks are increasing every day and more incidents are being reported by both private individuals and companies of all sizes. As the survey shows, it is not only large global operating companies that are affected but also small and medium-sized ones that are increasingly becoming the focus of hackers.

With 365 Total Protection, Hornetsecurity launched a comprehensive Security & Compliance Suite for Microsoft 365, specifically designed for the cloud service and integrates seamlessly. 365 TP is available in two versions: 365 Total Protection Business includes multiple features, such as email and data security, and thus proves to be a reliable additional protection against spam and malware attacks. Advanced features and advanced protection mechanisms are included in 365 Total Protection Enterprise. With AI-based forensic analysis mechanisms, URL malware control, and ATP sandboxing, even the latest targeted cyberattacks, such as ransomware or business email compromise, are blocked.

Furthermore, the service is characterized by its fast, 30-second onboarding process, intuitive operation, and low maintenance requirements.

Click here for more information: https://www.hornetsecurity.com/us/services/365-total-protection/

Increase in cybercrime in the pre-Christmas season

Increase in cybercrime in the pre-Christmas season

New Infopaper gives tips on how to best protect your business

The year is coming to an end, and the earliest shoppers are thinking about what to give their loved ones for Christmas. Online stores and local businesses in turn are preparing for the high-volume, pre-Christmas business.

The last November weekend officially kicks off the season— with Black Friday and Cyber Monday. Many companies will offer special promotions for their customers on these days, in order to lure the deal hunters. But this season is not only extremely lucrative for companies, cybercriminals also look to collect a decent Christmas bonus. Again this year, the Hornetsecurity Security Lab is therefore preparing for a significant increase in cyberattacks on companies.

With the new paper “Cybercriminals in the run-up to Christmas – 5 tips on how to best protect your company”, the IT security experts provide helpful advice to ensure that the Christmas season does not spell trouble for businesses.

Bargain hunters watch out: Cybercriminals want to cash in

Since the advent of the coronavirus, it should be clear to everyone that cybercriminals like to leverage current events and hot news for their own purposes.

Black Friday, Cyber Monday and Christmas are also events that attract public attention. They lure with discounts and promotions and appeal to our inner bargain hunters. It should come as no surprise that phishing e-mails in the name of major brands such as Amazon are particularly common. Last year, the Hornetsecurity Security Lab observed an increase in phishing e-mails in the name of Amazon between November and December:

nicht autorisierte Nutzug von Amazon-Domains beim E-Mail-Versand

Companies are particularly vulnerable during the Christmas season

It can be assumed that companies in particular will not only have to prepare for an increase in phishing attacks via e-mail. After all, the repertoire of cybercriminals includes many more methods—such as DDoS attacks, where hackers use a flood of server requests to force the providers’ systems to its knees, which means some sales opportunities are lost.

In the following Infopaper, we explain the attacks that companies must increasingly expect and why they are becoming ever more dangerous.

Protect yourself now:

Email Conversation Thread Hijacking

Email Conversation Thread Hijacking

Summary

“You should only open email attachments and links from senders you know” is a common piece of advice when it comes to preventing email-based malware and phishing attacks. However, in this article we outline an attack technique called email conversation thread hijacking, which uses existing email conversations of its victims and thus trust relationships to spread to new victims. Against this attack the previous advice will not help. We explain how email conversation thread hijacking is used by attackers, and why it dramatically increases the likelihood for victims to open malicious links or malicious attachments.

 

Background

Malicious actors try to get victims to open malicious links or malicious attachments. To this end, they often mimic genuine emails, such as invoices. However, if a victim is not customer of a particular company or service they will likely not open invoices claiming to be from those companies or services, especially knowing that this is the most common scheme for malicious actors to lure victims into executing their malware. Malicious actors are thus also often using current events to spark an interest in victims to open their malicious links or malicious attachments. Examples of such events are Christmas, Black Friday, Halloween, Valentines Day, but also currently the SARS-CoV-2 pandemic. However, users are often also aware of these schemes and do not open any malicious links or malicious attachments, especially when they come out of the blue without any context.

Hence, more and more attackers are leveraging a technique called email conversation thread hijacking, also known as email reply chain attack or email thread hijacking. In this technique, an attacker uses existing email conversations of victims to spread to new victims. Previously attackers only used the email addresses listed in victims address books. Email conversation thread hijacking uses also victim’s past existing email conversation threads to spread to new victims. To this end, the attackers will reply to the conversations the victim has in his mailbox.

 

How does email conversation thread hijacking work?

An email thread hijacking attack begins when a first victim is compromised. Next, their emails and often email login credentials are stolen. The attackers will then reply to the victim’s emails with their malicious messages.

In the following example, the “From” field contains the victim’s email address. The “To” field contains the email address of the targeted user, with which the victim had an email conversation previously. The “Subject” contains the original subject of the email conversation but is prepended with a “Re: “. The quote below the message contains the entire email conversation the two parties had.

Email conversation thread hijacking example

Good attackers also adapt the reply language to that of the hijacked email conversation, e.g., the following example uses a German language reply:

Email conversation thread hijacking example

While in the previous examples the malicious reply email contained a malicious link, these emails can also use malicious attachments:

Email conversation thread hijacking example

 

How effective is email conversation thread hijacking?

To demonstrate how effective email conversation thread hijacking is, we recreated a real email exchange that we observed during a routine false-positive email inspection:

Email conversation thread hijacking example

In this example, the attackers compromised Joe Schmoe’s email account and replied to an email that Joe has previously received from Alice. They replied with a malicious link (OPEN THE DOCUMENT) and some generic text. Alice released the email from quarantine and tried to open the malicious link, but her browser saved her from getting infected. She subsequently replied to Joe’s compromised email account that she can’t open “the file” and asked if “the file” could be sent in a different format. The attackers then send Alice another malicious link. While we are certain the attackers hijacking a previous hijacked email conversation thread again was coincidence, this example clearly shows how effective email conversation thread hijacking can be.

Fortunately, no attacker tailors their reply emails to fit into the hijacked conversation (yet). However, since threat actors have highly automated email conversation thread hijacking attack tools, the chances that the hijacked conversation involves documents that are shared back and forth is high. And even if it does not, who wouldn’t open a document sent by a known contact within an existing email conversation?

 

Who uses email conversation thread hijacking?

The number of threat actors using email reply chain attacks keeps increasing. While first observed in May 2017 in a limited targeted spearphishing campaign, many commodity threat actors adopted the technique in 2018.

In 2019, also Emotet adopted email conversation thread hijacking. To this end, they added an email-stealing module. The module steals emails and login credentials from victims and sends them to Emotet’s C2 servers, which distribute them to the systems of other victims infected with Emotet’s spam module, where they are used in attacks against new victims. Recently, Emotet has enhanced its email reply hijacking technique by also stealing attachments from victims and placing its malicious attachment among stolen benign attachments in order for the email to appear even more legitimate.

QakBot is also frequently distributed via replies to existing email conversation threads. In 2020, the Valek malware started to be distributed via email thread hijacking, too.

Hornetsecurity has observed an increase in compromised accounts being used to send malicious emails. While some do not (yet) use email conversation thread hijacking and simply misuse victims’ email accounts to send emails, with access to victims’ email accounts it is trivial to perform email reply chain attacks. A threat actor simply has to reply to emails received by his victims. We are therefore certain that the trend towards email thread hijacking attacks will continue. Therfore, users can no longer rely on a known trusted sender when deciding whether it is safe to open attachments or links.

 

Conclusion and Countermeasure

The advice to only open email attachments and links from known senders is outdated. With email conversation thread hijacking, even commodity threat actors can automate highly sophisticated and effective spearphishing emails. Often victims are not aware that they are compromised. In such cases it is important to inform victims that they are spreading malicious content via email so they can take measures against the compromise. Immediate actions should be to change the email login credentials. Secondary steps would be to determine how the attackers gained access to the email account in the first place to prevent such incidents in the future.

For humans it is very difficult, if not impossible, to spot email conversation threat hijacking because, by being sent from a legitimate but compromised account, the emails are – apart from the writing style – indistinguishable from real legitimate emails. However, email filters that inspect the attachments or links in emails can detect malicious content regardless.

Hornetsecurity’s Spam Filter and 365 Threat Monitor, with the highest detection rates on the market, detects and quarantines threats regardless of whether they use email reply chain attacks or not. Also Hornetsecurity’s Advanced Threat Protection is not affected by email conversation thread hijacking and will inspect email contents regardless of whether it was sent from a compromised account or not. Hornetsecurity’s malware, phishing and ATP filters take precedence over sender allow lists. This way even if allow-listed sender gets compromised and his email account is misused to send malicious emails, Hornetsecurity customers are protected.

Emotet Update increases Downloads

Emotet Update increases Downloads

Summary

The Hornetsecurity Security Lab observed a 1000 % increase in downloads of the Emotet loader. The increase in Emotet loader downloads is linked to a change in Emotet’s packer, which causes the loader to be less frequently detected by AV software. The data we have gathered suggests that the increase in Emotet loader downloads stems from the fact that it’s less frequently being detected. This makes security mechanisms to less likely to block its download URLs. Our data, however, also suggests that AV vendors are already closing the gap in detection, so the detection rates for the Emotet loader should increase, and the amount of downloads should decrease again. This analysis shows the impact of the changes made to the packer of the Emotet loader.

Background

The malware now commonly known as Emotet was first observed in 2014. Back then, it was a banking trojan stealing banking details and login credentials from its victims. Later, however, it pivoted to a malware-as-a-service (MaaS) operation providing malware distribution services to other cybercriminals.

We have already reported on Emotet multiple times in previous blogposts. The following timeline shows its recent developments:

Emotet event timeline

On 2020-08-18, changes to Emotet’s loader were observed. The Emotet loader is now packed with a different packer. Various researchers have observed that this packer change has led to a lower detection rate of the Emotet loader by AV software1. The unpacked loader has also received updates previously, but these have not caused any considerable impact on Emotet loader downloads. The changes performed on 2020-08-07 in order to fix a buffer overflow problem exploited by an Emotet “vaccine” called EmoCrash had no impact on the presented Emotet loader download statistics, since the “vaccine” only comes into effect after the Emotet loader has been downloaded.

Technical Analysis

We gathered download statistics from the Emotet download URLs by the methods outlined in our previous article about Emotet webshells2. For those that have not read our previous article, the PHP code Emotet uses to facilitate its downloads returns a JSON output stating the number of downloads of the Emotet payloads on that particular domain. We did not change our acquisition or analysis methods from the previous article to ensure our results are directly comparable and any observed changes are caused by the distribution operation of Emotet and not a collection of analysis artifacts caused by methodological changes.

There are two types of Emotet download URLs: those pointing to an Emotet maldoc and those pointing to the Emotet loader. The Emotet maldocs, which can be sent by email, contain download URLs. A VBA macro code uses them to download the Emotet loader, the actual Emotet malware that installs itself on the victim’s computer.

In our previous analysis, the share of download URLs pointing to the Emotet loader was of 15 %. Now, on 2020-08-19, its share is of 20 %. This is due to the fact that Emotet maldocs now use 6 or sometimes even 7 Emoter loader download URLs instead of the “classic” 5, as can be seen from this decoded PowerShell command issued by a recently released Emotet maldoc:

Emotet using 6 download URLs

However, the number of downloads of the Emotet loader we have gathered from hidden statistic pages on compromised websites has increased more than 5 %.

The Emotet download statistics from 2020-07-29 indicated that the Emotet loader was downloaded at a rate of around 2500 times per hour in average. The following plot shows the ratio between loader and maldoc downloads as well as their volume for 2020-07-29:

Old Emotet download statistics

Two days after the packer change, on 2020-08-19, the Emotet download statistics indicate that the Emotet loader was downloaded at a rate of around 25000 times per hour on average, a 1000 % increase. The following plot shows the ratio between Emotet loader and Emotet maldoc downloads as well as their volume for 2020-08-19:

New Emotet download statistics

We attribute this increase to the recent changes to the Emotet packer. The new packer is not detected very well by AV vendors yet. So, most of the new download URLs after the Emotet packer change were not detected by any vendors listed on VirusTotal:

Emotet loader download URL undetected on VirusTotal

Emotet loader download URL undetected on VirusTotal

While VirusTotal results do not represent the true dynamic detection of AV software of Emotet, the lower detection rates, especially when analyzing the download URLs for the Emotet loader, clearly suggest that the updates to the Emotet packer has indeed decreased the detection likelihood. Since many of the Emotet loader download URLs used to be flagged as malicious immediately, many security products were likely to block downloads by potential victims, thus leading to very few downloads of the Emotet loader overall.

On 2020-08-20, the Emotet loader downloads dropped to 7500 per hour, which constitutes a decrease of 70 % compared to 2020-08-19:

Download statistics with improved Emotet detection

This is likely because AV vendors are now starting to improve the detection of the new Emotet packer. At least, VirusTotal detections of new Emotet loader download URLs have started to be flagged again by AV vendors:

Emotet loader download URL detected again on VirusTotal

This further supports our hypothesis that the increase in Emotet loader downloads was caused by the new packer and, to a lesser extent, by the increase of Emotet loader download URLs inside the Emotet maldocs.

Conclusion and Countermeasure

Our analysis has shown the impact caused by the changes to the Emotet packer. We observed a 1000 % increase in Emotet loader downloads which was closely related to the detections of the Emotet loader download URLs by AV vendors.

To protect against Emotet the US CERT recommends to “implement filters at the email gateway to filter out emails with known malspam indicators”3.

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, is not impacted by the updates to the Emotet packer (as the packer is never sent directly via emails) and will thus continue to block all Emotet malspam indicators, such as macro documents used for infection as well as known Emotet download URLs. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting still unknown malicious links by dynamically downloading and executing the potentially malicious content in a monitored and sandboxed environment. Thus, even in the event the Emotet loader changes is accompanied by a change in delivery tactics, Hornetsecurity will be prepared.

In addition to blocking the incoming Emotet emails, defenders should use the publicly available information by the Cryptolaemus team, a voluntary group of IT security people banding together to fight Emotet. They provide new information daily on their website4. There you can obtain the latest C2 IP list for finding and/or blocking C2 traffic. For real-time updates, you can follow their Twitter account5.

References

The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

The Hornetsecurity Security Lab publishes new figures: about 70% of all emails are unwanted

Around 300 billion e-mails are sent every day – the number of e-mails sent and received for private and business purposes is forecast to rise to 361.6 billion by 2024. However, not all e-mails that end up in users’ inboxes are wanted, and unwanted e-mails not only contain questionable advertising, but often also harmful attachments and links.

The experts of the Hornetsecurity Security Labs have analyzed how many e-mails are actually wanted by users and what dangers can lurk in their inboxes based on the e-mails received in the system for the year 2020 and have come to interesting results: Only 28% of the e-mails could be classified as “clean”, i.e. harmless by the Hornetsecurity filters – thus more than 70% of all addressed e-mails were unwanted by the recipient.

Which emails are already blocked in advance?

A total of 67% of incoming e-mails are blocked in advance by Hornetsecurity’s filter mechanisms: this means that these e-mails have not even been classified as harmful or unwanted due to various factors. In June 2020, the Security Lab analyzed the reasons for blocking incoming emails. Below we take a look at the most important ones. 

In first place with almost 58%, are e-mails that could be classified as spam in advance using a real-time blackhole list.

In second place with 12%, are emails that try to use Hornetsecurity’s mail servers as open relay. Open relay is the process by which an email server delivers emails for which it is not responsible. For example, if example.com has an email server, it should only accept email for mustermann@example.com. An open relay server would also accept mail for other domains, such as @test.com. These open relays are often misused to send spam with fake sender addresses.

In 5.9% of the e-mails blocked by Hornetsecurity, no correct sender address could be found. This is important because cyber criminals try to hide their identity or pretend to be someone else. For example: In the case of mustermann@example.com, if the domain example.com does not exist, the email is blocked.

In 5.3% of blocked e-mails, harmful content was found. Malicious content includes attachments such as *.xls, *.doc, *.pdf that contain malware, but also links that lead to malicious or compromised web pages.

What threats are found in the emails that were not blocked in advance?

The proportion of spam, malware and other threats in the non-blocked emails is also interesting. For this evaluation, the security experts checked the total number of incoming emails minus the blocked emails.

About 10% of these analyzed e-mails were spam and about 3% were info mails. The Security Lab experts were also able to find malware in about 1% of all incoming e-mails, and just under 0.1% were even detected by Hornetsecury’s Advanced Threat Protection. These are attacks such as CEO fraud, spearphishing, or attacks that use new types of malware, which were only detected by the Hornetsecurity ATP Sandbox and not by classic filters. Conversely, this means that more than 10% of the e-mails that are not blocked in advance contain spam or attachments and content that are harmful to the user.

Although the majority of harmful e-mails can be blocked, companies should not yet sit back and relax. Cybercriminals are constantly finding new ways to send malicious emails to users and their attacks are still often successful.