The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is responding to a widespread malware campaign known as Emotet.
Emotet is a Trojan virus delivered via emails sent with malicious attachments. These emails often contain language about “Your Invoice,” or “Payment Details,” and carry either macro-enabled documents, or malicious links that could execute the payload if clicked.
Most viruses and malware are fairly easy to detect and shut down, however, the way Emotet is engineered to hide and propagate throughout networks rapidly. For an organisation, this means it’ll likely take just 1 user to get infected.
Emotet malware is spread when unsuspecting email users click on links or open files containing malicious code. Trojan viruses like Emotet appear as normal files but include hidden information allowing cybercriminals to access sensitive information and often take control of devices or systems.
Email users (which is basically everyone) should now be extremely vigilant when opening emails and attachments. Traditional advice of not opening attachments from people you don’t know isn’t actually that effective.
If Emotet infects a machine, it’ll likely use other vulnerabilities to exploit user accounts, access address books and send on the virus to other people you know. This means email containing the malicious code, could present as being from someone you know.
“Due to the scale of the campaign, and the risk of economic impact, the National Cyber Security Committee (NCSC) has activated the national Cyber Incident Management Arrangements (CIMA) to Level 3 – Alert”.Head of the ACSC, Rachel Noble
Unless you’re an employed in the information security industry, I expect you’re not exactly familiar with the CIMA security levels.
Cyber Incident Management Arrangement levels range from Level 5 (normal) to Level 1, being the most severe. Elevating the current level up to Level 3 is an important move and signifies the seriousness of Emotet.
- Level 5: Normal Conditions
- Level 4: Lean Forward
- Level 3: Alert
- Level 2: National Cyber Incident
- Level 1: National Cyber Crisis
The CIMA provides the foundation for coordinating the Government’s response to national cyber incidents.
“The ACSC is working closely with state and territory governments to limit the spread of this computer virus and to provide technical advice and assistance and to support organisations that are affected.
Cyber criminals use malware for different reasons, most commonly to steal personal or valuable information from which they can profit, hold recipients to ransom or install damaging programs onto devices without your knowledge”.Head of the ACSC, Rachel Noble
The ongoing campaign uses both targeted and untargeted ‘phishing’ emails to spread the virus. Last week, ThreatPost confirmed Emotet is being used as a delivery vector for more dangerous payloads, such as TrickBot and other ransomware like Ryuk.
“If Emotet infects your computer, it will open up a backdoor that will allow the cybercriminal to inject ransomware that could freeze your network.”Head of the ACSC, Rachel Noble
Unfortunately, some impacted organisations are paying the ransom. Never pay the ransom. There is no guarantee that paying the ransom will fix your computer, and it could make you vulnerable to further attacks. Restore your files from backup and seek technical advice.
The threat is real but there is something you can do about it. While it seems there is no quick easy fix for this, there are things IT Administrators can do to help protect their organisations.
To prevent malware infection, the ACSC recommends Australian critical infrastructure, business and government organisations take the following steps immediately:
- block macros
- alert staff to the virus and what to look for
- maintain firewalls
- scan your network
- develop an incident response plan
- maintain offline backups
- implement complementary security controls.
Below are detailed explanations of each of these steps.
Where possible, the ACSC recommends blocking macros from the internet and only allowing the execution of vetted and whitelisted macros.
In most cases, Emotet’s initial infection of a network is via an embedded macro in a Microsoft Office document. Disabling all unknown macros can significantly reduce your network’s risk-surface.
Consider sending out an organisation-wide alert to raise awareness of the dangers associated with opening attachments on unusual emails. Consider implementing an education program to improve staff awareness of cybersecurity, or how to spot suspicious emails (cyber.gov.au/advice/improving-staff-awareness).
Apply the latest Indicators of Compromise (IOCs) to your organisation’s gateway and firewalls for both inbound and outbound traffic.
Consider doing a full network scan using a vulnerability management tool to search for known Emotet/Trickbot hashes to ensure network integrity.
Develop a plan
Create a response plan to allow your organisation to respond in the event of an Emotet infection. Most importantly, affected machines/networks should be immediately quarantined and disconnected from the internet.
Maintain offline backups
Consider maintaining isolated offline backups of your network to allow recovery in the event of a widespread infection or the deployment of ransomware.
Implement complementary security controls
The ACSC strongly recommends the implementation of the ASD Essential 8 mitigations to mitigate threats to internet-facing systems. (More information is available at cyber.gov.au/publications/essential-eight-explained)
Specifically for this vulnerability, maintaining a regular patch process restricts the availability of exploits that Emotet can use to move laterally within a network, limiting infection. Restricting administrative permissions similarly reduces the likelihood of administrative accounts being utilised by an attacker.
If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).
Organisations requiring further assistance or advice regarding malware can contact the ACSC by emailing ASD.Assist@defence.gov.au.
While businesses have to keep devices safe, you as an individual at home should also adopt some of these practices. The Stay Smart Online website provides some good advice about Emotet here.
Another great source for the latest information on Emotet is available at Malware Bytes.
Reporting a cybersecurity incident
I hope you never get infected by malicious software like Emotet, but if you are, you need to report it. Individuals and small businesses can report a cybersecurity incident to the ACSC via ReportCyber.