Emotet Interrupted in Hotel Chain

The Network: A Managed Service Provider (MSP) installed EventTracker SIEM to mitigate threats within a large hotel chain’s system in the Midwest.

The Expectation: EventTracker managed SIEM services with endpoint threat detection and response capability would deliver end-to-end protection.

The Catch: The EventTracker SOC (Security Operations Center) observed an unsafe MD5 hash and network connection activity with a malicious IP address.

The Find: We detected a connection with a poor IP address reputation due to suspicious threat activity. The EventTracker SOC analyst used the advanced logic in EventTracker SIEM, and quickly discovered that Emotet malware was active in the customer’s environment.

The Fix: The EventTracker SOC promptly alerted the MSP to the compromise.All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system.

As a part of the EventTracker threat intelligence distribution process, all indicators of compromise (IoC) and hashes were shared among the same business tenant to identify and thwart any present and future threats across all the MSP’s numerous clients.

The identified systems were taken off the network. Once the threats were mitigated, the systems were cleared and reconnected to the hotel chain’s network.

The Lesson: User education about phishing and spear phishing campaigns is important.It is critical to deploy a managed SIEM solution with integrated endpoint threat detection and response capability to rapidly eliminate cybersecurity threats.