Analysis
Industrial Cyber Attacks
Medical

Emotet hits critical infrastructure providers in Australia

October 28, 2019
Emotet hits critical infrastructure providers in Australia

The Australian Signals Directorate’s Australian Cyber Security Centre reported a series of ongoing cyber-attacks on a variety of sectors in the Australian economy, including critical infrastructure providers and government agencies. According to an advisory, the agency has detected a widespread campaign of malicious emails designed to spread the Emotet malware.

“Attempts to compromise Australian businesses and organizations are ongoing and pose a significant risk to Australian entities,” the ACSC advisory says.

Emotet is a kind of malware used to give hackers access to networks from which they can enact additional attacks, often including the deployment of ransomware. The goal is to get users to open or click a malicious download link, PDF, or macro-enabled Microsoft Word document. The ACSC has received reports of Emotet being spread through both untargeted bulk spam emails and  highly targeted spear-phishing emails.

“Upon infection of a machine, Emotet attempts to spread within a network by brute-forcing user credentials, and writing to shared drives. Emotet has been observed downloading a secondary malware, called Trickbot, onto infected machines,” the ACSC advisory says. “Trickbot is a modular multi-purpose command-and-control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network.”

So far, the ACSC is aware of at least 19 successful Emotet infections in Australia. It is believed that an Emotet infection was behind the Ryuk ransomware attacks on the Victorian health sector.

Those who fall victim to Emotet can experience temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to their organization’s reputation.

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

”The ACSC is working closely with state and territory governments to limit the spread of this computer virus and to provide technical advice and assistance and to support organizations that are affected,” ACSC head Rachel Noble said in a release. “Cyber criminals use malware for different reasons, most commonly to steal personal or valuable information from which they can profit, hold recipients to ransom or install damaging programs onto devices without your knowledge.”

Last July, the United States Cybersecurity and Infrastructure Security Agency released an alert on the Emotet malware. According to the alert, Emotet was used in a campaign to imitate PayPal receipts, shipping notifications, or “past-due” invoices.

“Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” the alert said. “Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

In order to protect themselves from these attacks there are several steps organizations can take. The ACSC recommends blocking macros from the internet, and only allowing the execution of vetted and whitelisted macros. Cybersecurity teams should also conduct a full network scan using a vulnerability management tool to search for known Emotet/Trickbot hashes to ensure network integrity.

Organization should also send out alerts or implement education programs to raise awareness about the dangers of opening attachments on unusual emails and how to spot suspicious emails.

It’s also important for organizations to create a response plan to ensure they are prepared in the event of an Emotet infection. In preparation, IT personnel should maintain isolated offline backups of the organization’s network to allow recovery in the event of widespread infection, or the deployment of ransomware. If infected, affected machines and networks should be immediately quarantined and disconnected from the internet.

 

Vidya Lakshmi
IndustrialCyber Editor & Features Vidya is a freelance journalist with over 10 years of experience in business journalism. She started her career reporting on U.S. equities markets and later moved to niche financial news. She developed an interest in ICS cybersecurity after researching some incidents and reading about it online.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats