EclecticIQ

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

EclecticIQ Data Show Emotet Gained Momentum in Recent Months

This issue of the Analyst Prompt discusses insights about Emotet based on data collected in EclecticIQ Intelligence Center, critical business operating periods and increasing likelihood of attack, and the significant increase in zero-day exploits observed in 2021.

EclecticIQ Threat Research Team May 4, 2022

tap-8

EIQ Intelligence Center Data: Emotet Gains Momentum in Recent Months

EclecticIQ Researchers identified continued growth of the Emotet botnet’s activity based on reported botnet command and control (C2) nodes and unique payloads observed from November 2021 through April 2022.

Figure 1 below illustrates new botnet C2 nodes discovered daily and indicates Emotet operators appear to be adding new botnet nodes daily, with growth accelerating in March and April. The increase in C2 nodes likely indicates the continued growth of the botnet. It is also likely that with more nodes the botnet will become more stable, meaning takedown efforts will be difficult and require significant cooperation between law enforcement and private organizations.

bot_per_day

Figure 1 Emotet bots reported per day

Figure 2 illustrates that Emotet operators regularly compile new payloads to be delivered via phishing. The number of payloads observed in the given timeframe, at times more than 1,000 unique payloads in a 24-hour period, likely indicates an automated method for compiling payloads. Changing payloads can make it more difficult for network defenders to identify infections and respond quickly.

payloads_per_day

Figure 2 Emotet payloads reported per day

EclecticIQ Researchers assess it is likely the increasing number of C2 nodes combined with regularity of newly observed payloads that Emotet will continue to re-establish and stabilize its operations after past takedowns, while expanding the botnet’s reach and sophistication to avoid future take down attempts. Organizations should consider Emotet a growing threat especially with its previous associations with Colbalt Strike Beacons and ransomware operations.

New and Noteworthy: Ransomware Operators may Target Agriculture Organizations during Critical Operating Periods

The Federal Bureau of Investigation (FBI) issued a warning to the US Food and Agriculture sectors during planting and harvesting seasons that ransomware actors may be more likely to attack during critical planting and harvesting seasons [1]. Attacks during these periods would likely cause significant disruptions to operations, causing financial losses, and possibly disrupt the food supply chain. The FBI notes that ransomware operators may perceive these critical periods as factors that will increase the willingness to pay the ransom quickly to avoid significant disruptions.

It is likely that ransomware operators have also targeted other industries during critical periods and holidays to apply pressure to pay ransoms. The Covid-19 pandemic caused significant stress on the shipping and logistics sectors. Some ransomware operators utilized this pretext to apply additional pressure to victims to pay ransoms and recover quickly [2]. CISA released two alerts between August and November 2021 for organizations to “stay vigilant” of ransomware attacks during the holiday periods [3] [4].

EclecticIQ Researchers assess it is likely ransomware operators will utilize critical operating periods and holidays to target organizations on an increasing basis. It is important that businesses in all industries anticipate these days and prepare accordingly. This may include extra security awareness training to all employees for potential phishing lures, reviewing vulnerabilities and patch managements, and ensuring disaster recovery plans have been tested recently.

Exploit Tools and Targets: Zero-days Exploited in 2021 more than Double

According to Mandiant zero-day exploitation more than doubled in 2021 over the year prior [5]. Research found that state sponsored espionage groups primary based out of China were the most likely to utilize zero-day exploits in cyber-attacks. Financially motivated actors including ransomware groups account for about one-third of the observed exploits. Mandiant suggests that with the continued growth of the of the exploit market zero-day exploitation will continue to increase in coming years.

The increasing threat of zero-day exploitation poses a risk across most industries and sectors. However, EclecticIQ Researchers assess these exploits are most likely to be used when targeting governments, software supply chains, critical infrastructure, or large financial institutions. These organizations are more likely to have mature security practices that make using a zero-day more necessary and the kind of payoffs that are lucrative enough for the threat actor to utilize it.

It is important that organizations adopt a layered secured approach, adhere to best practices, and quickly patch vulnerabilities as quickly as possible. These measures can limit the impact from zero-day exploits.

You might also be interested in:

Microsoft Under Pressure from Zero Day Vulnerabilities and SolarWinds Targeting

Issue #05: Russo-Ukrainian Cyberattacks, and Updates on Lapsus$ and Conti Ransomware Operations

Issue #04: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat

References:

  1. https://www.ic3.gov/Media/News/2022/220420-2.pdf.
  2. https://www.nbcnews.com/tech/security/ransomware-hackers-hit-us-supply-chain-experts-warn-rcna1718.
  3. https://www.cisa.gov/uscert/ncas/current-activity/2021/11/22/reminder-critical-infrastructure-stay-vigilant-against-threats.
  4. https://www.cisa.gov/uscert/ncas/alerts/aa21-243a.
  5. https://www.mandiant.com/resources/zero-days-exploited-2021

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2024 EclecticIQ B.V.
EclecticIQ. Intelligence, Automation, Collaboration.
Get demo