Dragos reports sustained network chatter between Emotet C2 servers and multiple auto manufacturers, with the Emotet infrastructure suspected to be controlled by the Conti ransomware group. No confirmed initial access or encryption has been observed yet, and activity dates back to December 2021 and continued through March 2022. #Emotet #Conti #Dragos #AutomotiveIndustry #SCADA #PurdueModel
Keypoints
- Dragos observes evidence of Emotet activity across several automotive manufacturers, linked to past ransomware behavior.
- Investigation follows IP addresses discussed by @ContiLeaks, suggesting potential insider knowledge about Conti.
- Observed IPs show extensive communication with Emotet C2 nodes, indicating active footholds.
- Victims span North America and Japan, including three major automakers, a domestic supplier, and an automotive component manufacturer.
- Some victims communicate with many C2 IPs, implying multiple backup controllers if some nodes fail.
- Recommendations include incident response planning, IOC hunting, monitoring C2-related TTPs, patching, backups, segmentation, least privilege, and revising IR plans.
MITRE Techniques
- [T1071.001] Web Protocols – C2 communications observed over common ports (HTTP/HTTPS) between Emotet/Conti infrastructure and potential victims. ‘frequent communication between it and a subset of IP addresses that are Emotet C2 nodes, and C2 communication over common ports such as 80 (HTTP) or 443 (HTTPS)’.
Indicators of Compromise
- [IP Address] C2 infrastructure – 82.202.192.66, 67.205.162.68, and 8 more items (Emotet C2 nodes / Conti master C2 server)