Over the past few weeks, we have identified a number of organisations and government agencies impacted by a new generation of a previously seen banking trojan malware: called Emotet. Given the widespread nature of this attack and significant impact, we are issuing this public update.
There are a number of technical indicators of compromise which confirm the presence of Emotet. However, practically speaking, organisations will usually first become aware that they are impacted by the presence of malicious emails being sent to internal employees and external clients from an external sender, purporting to be the organisation.
The malicious email will usually contain an email trail of a previous conversation, with a document attached taking various forms (.doc, .docx, .pdf). Once the document is opened, malware will propagate throughout the recipient's network. In short: DO NOT OPEN ATTACHMENT.
If opened, the attack rapidly spreads. This is because content of emails from the mailbox of the user that opened the attachment are scraped, and emails are then automatically forwarded to all parties to those emails, containing the same malicious attachment. We have seen this wave of malicious spam continue even after the affected organisation has secured their own environment and removed Emotet from their systems meaning that the risk of third party infection as a result of an organisation being hit continues to persist.
In addition to malicious spam activity, we are also seeing Emotet used to install other forms of malware such as Trickbot, or deploy ransomware strains such as Ryuk.
Who has been impacted?
It has been publically reported that the public and private health service industry in Victoria has been heavily impacted.
Beyond the 19 publically reported incidents, we have seen a number of organisations impacted throughout Australia, New Zealand and the wider APAC region, across a range of different sectors including, healthcare, retail and professional services.
What do you need to do?
If you suspect or believe you are impacted by Emotet, you need to very quickly:
- Isolate affected machines from the network to prevent the spread of malware within your organisation's systems. Assess the scope of the impact on your network including what information may be at risk.
- Warn your employees of the potential that they may receive malicious emails and train them not to click on malicious links or attachments. If they are unsure, they should speak with your IT team or contact the sender to confirm the authenticity of the email.
- Similarly to warning employees, notify all parties to all emails contained within affected mailboxes to remain vigilant to malicious emails and not to clock on malicious links or attachments. This needs to be done quickly but without causing undue alarm.
While the focus is on containment, remediation and notification to potential recipients of emails, at the same time, an assessment of whether the incident is an Eligible Data Breach under the Privacy Act 1988 (Cth). Statutory investigation and notification timeframes apply, so this needs to be done expeditiously.
If you have cyber insurance, contact your insurer to obtain assistance from expert vendors to assist your response capabilities.
Where do you go for more information?
We commend the ACSC and DPC VIC for leading the national and regional response to this incident and providing real time updates on the impact to government and the private sector.
More information is available here:
- For indicators of compromise: https://www.cyber.gov.au/threats/2019-130-emotet-malware-campaign
- For steps you can take to prevent malware: https://www.staysmartonline.gov.au/alert-service/widespread-emotet-malicious-software-targeting-businesses-and-individuals
- For US intelligence from Department of Homeland Security: https://www.us-cert.gov/ncas/alerts/TA18-201A
Additional resources from well-known security providers such as Crowdstrike, Carbon Black, Sophos, Symantec are available online.