Australian Govt agency ACSC warns of Emotet and BlueKeep attacks

Pierluigi Paganini November 11, 2019

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warns businesses and netizens of Emotet and BlueKeep attacks in the wild.

The ACSC is warning organizations and people of a wave of cyberattacks exploiting the Windows BlueKeep vulnerability to deliver crypto-currency miners.

“The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), with its state and territory partners, is continuing to respond to the widespread malware campaign known as Emotet while responding to reports that hackers are exploiting the BlueKeep vulnerability to mine cryptocurrency.” reads the advisory published by the ACSC.

The alert follows the one issued by Microsoft of more BlueKeep attacks that could deliver disruptive payloads and urged organizations to patch their systems.

The Australian agency also warns of Emotet campaigns that in the last months hit the country posing a significant threat for both organizations and government offices.

The Cyber Incident Management Arrangements (CIMA) will remain active despite the alert has been downgraded to Level 4 – ‘Lean Forward,’ (CIMA Level 4 requests a precautionary approach through increasing monitoring, analysis, and strategic coordination and engagement at the national level).

At the end of October, the CIMA was activated to Level 3 in response to the Emotet campaigns

The ACSC announced the activation of Australia’s CIMA to Level 3 – ‘Alert’ on 25 October 2019, in response to the widespread exploitation of vulnerable systems by the Emotet malware. The threat posed by this malicious software required immediate action at the national level to ensure Australian organisations, from critical infrastructure providers to small businesses, receive mitigation advice to protect their networks. 

The ACSC announced the activation of Australia’s CIMA to Level 3 – ‘Alert’ on 25 October 2019, in response to the widespread exploitation of vulnerable systems by the Emotet malware. The threat posed by this malicious software required immediate action at the national level to ensure Australian organizations, from critical infrastructure providers to small businesses, receive mitigation advice to protect their networks. 

“There are two concerning cyber security threats in the wild. While we have seen a drop in the number of Emotet infections in the last week, people and businesses should remain vigilant,” said Head of the ACSC, Rachel Noble PSM.

“We are also concerned about reports cybercriminals are exploiting the BlueKeep vulnerability to access computers and control them without the users’ knowledge.”

Recently, researchers warned of the first mass-hacking campaign exploiting the BlueKeep exploit, the attack aimed at installing a cryptocurrency miner on the infected systems. The popular expert Kevin Beaumont observed some of its EternalPot RDP honeypots crashing after being attacked.

https://twitter.com/GossiTheDog/status/1190654984553205761

The popular expert Marcus Hutchins analyzed data shared by Beaumont and confirmed that attacks the honeypot systems were hit by attackers leveraging the BlueKeep exploits to deliver a Monero Miner.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The ACSC also warns about the Emotet threat, a banking trojan that has been active since 2014.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers. Experts at Talos discovered that in April 2019, Emotet was using hijacking email conversations in only 8.5% of the infection attempts. The situation is now changed, the latest campaign sees that stolen email threads appeared in nearly one quarter of Emotet’s outbound emails.

The threat is back in September with an active spam distribution campaign. Researchers from Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

The researchers observed hundreds of thousands of messages were sent as part of this distribution effort.

The most notable characteristic of this campaign is the reuse of stolen email content to trick recipients into opening attachments or clicking on links pointing to weaponized Word documents that were used to fetch and execute Emotet.

“While we have helped many organisations mitigate the impact of Emotet in its current form, like most forms of malware and ransomware, Emotet may continue to evolve as cybercriminals seek to evade detection and the law.” Noble added.

“I urge all Australians to remain vigilant about Emotet, BlueKeep and other forms of viruses or vulnerabilities. The threat is real, but there is something you can do about it,” Ms Noble said.”

The ACSC also provides technical advice on Emotet to allow organizations to adopt necessary countermeasures against the threat.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – BlueKeep, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment