Emotet hits critical infrastructure providers in Australia

Emotet hits critical infrastructure providers in Australia

The Australian Signals Directorate’s Australian Cyber Security Centre reported a series of ongoing cyber-attacks on a variety of sectors in the Australian economy, including critical infrastructure providers and government agencies. According to an advisory, the agency has detected a widespread campaign of malicious emails designed to spread the Emotet malware.

“Attempts to compromise Australian businesses and organizations are ongoing and pose a significant risk to Australian entities,” the ACSC advisory says.

Emotet is a kind of malware used to give hackers access to networks from which they can enact additional attacks, often including the deployment of ransomware. The goal is to get users to open or click a malicious download link, PDF, or macro-enabled Microsoft Word document. The ACSC has received reports of Emotet being spread through both untargeted bulk spam emails and  highly targeted spear-phishing emails.

“Upon infection of a machine, Emotet attempts to spread within a network by brute-forcing user credentials, and writing to shared drives. Emotet has been observed downloading a secondary malware, called Trickbot, onto infected machines,” the ACSC advisory says. “Trickbot is a modular multi-purpose command-and-control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network.”

So far, the ACSC is aware of at least 19 successful Emotet infections in Australia. It is believed that an Emotet infection was behind the Ryuk ransomware attacks on the Victorian health sector.

Those who fall victim to Emotet can experience temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to their organization’s reputation.

”The ACSC is working closely with state and territory governments to limit the spread of this computer virus and to provide technical advice and assistance and to support organizations that are affected,” ACSC head Rachel Noble said in a release. “Cyber criminals use malware for different reasons, most commonly to steal personal or valuable information from which they can profit, hold recipients to ransom or install damaging programs onto devices without your knowledge.”

Last July, the United States Cybersecurity and Infrastructure Security Agency released an alert on the Emotet malware. According to the alert, Emotet was used in a campaign to imitate PayPal receipts, shipping notifications, or “past-due” invoices.

“Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” the alert said. “Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

In order to protect themselves from these attacks there are several steps organizations can take. The ACSC recommends blocking macros from the internet, and only allowing the execution of vetted and whitelisted macros. Cybersecurity teams should also conduct a full network scan using a vulnerability management tool to search for known Emotet/Trickbot hashes to ensure network integrity.

Organization should also send out alerts or implement education programs to raise awareness about the dangers of opening attachments on unusual emails and how to spot suspicious emails.

It’s also important for organizations to create a response plan to ensure they are prepared in the event of an Emotet infection. In preparation, IT personnel should maintain isolated offline backups of the organization’s network to allow recovery in the event of widespread infection, or the deployment of ransomware. If infected, affected machines and networks should be immediately quarantined and disconnected from the internet.

 

Featured

Author

Join 10,000 OT/ICS Security professionals and get the latest industrial cybersecurity news and insights direct to your inbox.