Emotet Interrupted in Hotel Chain

The Network: A Managed Service Provider (MSP) installed EventTracker to mitigate threats within a large hotel chain’s system in the U.S. Midwest.

The Expectation: Netsurion's Co-Managed SIEM services with endpoint threat detection and response capability would deliver end-to-end protection.

The Catch: Netsurion’s SOC (Security Operations Center) observed an unsafe MD5 hash and network connection activity with a malicious IP address.

The Find: We detected a connection with a poor IP address reputation due to suspicious threat activity. Netsurion’s security analyst used the advanced logic in EventTracker, and quickly discovered that Emotet malware was active in the customer’s environment.

The Fix: Netsurion’s SOC promptly alerted the MSP to the compromise.All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system.

As a part of Netsurion’s threat intelligence distribution process, all indicators of compromise (IoC) and hashes were shared among the same business tenant to identify and thwart any present and future threats across all the MSP’s numerous clients.

The identified systems were taken off the network. Once the threats were mitigated, the systems were cleared and reconnected to the hotel chain’s network.

The Lesson: User education about phishing and spear phishing campaigns is important. It is critical to deploy a managed SIEM solution with integrated endpoint threat detection and response capability to rapidly eliminate cybersecurity threats.