Australian businesses should block the use of macros, double-check their contingency plans and alert staff of the risks of infection, the Australian Cyber Security Centre (ACSC) has warned after noting an “ongoing and widespread campaign” of phishing emails that has already infected dozens of companies with the virulent Emotet malware.
Emotet is usually spread via embedded URLs or Microsoft Word email attachments which, when opened, leverage the macro capabilities of the Microsoft Office suite to download and install the malware.
The malware then scans the network and uses credential brute-forcing techniques to infect other machines, providing a command-and-control infrastructure that enables the installation of ransomware, credential stealers, or other malware.
“It’s extremely easy for people to fall prey to the Emotet botnet, as carefully crafted phishing emails can even come from trusted email contacts,” Webroot security analyst Tyler Moffitt, who warned that “the recent spread of Emotet should worry Australian business owners and consumers”.
“An infected computer can give hackers direct access to personal information and banking credentials, and it’s common for hackers to even lock up computer systems for ransom. Users should maintain a strong scepticism.”
At least 19 different organisations have recently been infected with Emotet, according to the ACSC, which in a new advisory credited the malware with the recent Ryuk ransomware attack that brought several Victorian hospitals offline.
“Attempts to compromise Australian businesses and organisations are ongoing and pose a significant risk to Australian entities,” the advisory warned, noting that “critical infrastructure providers and government agencies” had already been hit.
“Maintaining a regular patch process restricts the availability of exploits that Emotet can use to move laterally within a network,” the ACSC advised, “limiting infection. Restricting administrative permissions similarly reduces the likelihood of administrative accounts being utilised by an attacker.”
Emotet has been linked with high-volume attacks in the past, with CrowdStrike’s Global Threat Report 2019 noting a single phishing campaign that impacted more than 270 of its customers. That campaign was attributed “with high confidence” to a cybercrime group it called MUMMY SPIDER – which, its analysis noted, has put itself at the centre of an expanding web of partnerships that use Emotet as a conduit for malware like TrickBot, BokBot, Ryuk, TinyLoader, TinyPOS, BitPaymer, Dridex, and FrameworksPOS.
Emotet, then, is a lead indicator for other types of malware attacks. And as it becomes more common, the warning was another opportunity for the agency to hammer home the importance of compliance with the Australian Signals Directorate’s Essential Eight security practices.
It also advised a range of precautionary actions including alerting staff; maintaining firewalls with the newest indicators of compromise; doing a full network scan; developing a response plan that includes immediately quarantining and disconnecting infected devices from the Internet; maintaining offline backups to speed recovery if necessary; and implementing complementary controls.
The re-emergence of “one of the most disruptive threats in 2018” is a concern for businesses, Proofpoint Australia Country Manager Crispin Kerr said, warning that “a growing number of potentially compromised devices could provide access to a range of sensitive confidential information, intellectual property, research, financial accounts, network credentials, and more to threat actors.”
Companies should use a layered threat defence at the email gateway “to prevent delivery of these messages,” he added, “and use robust user training programs to help potential victims recognise malicious mail.”
Proactivity around email security has consistently emerged as a key protection for businesses that face a growing threat from ransomware attacks.
Many businesses seem to have accepted ransomware levies as a cost of doing business in this day and age, with a recent Telstra review finding that half of Australian firms simply pay the ransom and get on with their business.
Cybercriminals like those odds, particularly since many businesses increasingly rely on cyber insurance policies to cover the ransom costs. This dynamic has led some to blame insurance companies for indirectly fuelling the ongoing depredations of ransomware.