The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) together with state and territory partners warns businesses and people of Emotet and BlueKeep threats being active in the wild.
The ACSC urges vigilance as attackers exploiting the Windows BlueKeep vulnerability have started attacking unpatched systems to infect them with coin miners.
Also, while the Emotet campaigns the ACSC previously notified about in late October had slowly winded down during the last week, it still represents a significant threat for both organizations and the general population.
“There are two concerning cyber security threats in the wild. While we have seen a drop in the number of Emotet infections in the last week, people and businesses should remain vigilant,” Head of the ACSC, Rachel Noble PSM said.
“We are also concerned about reports cybercriminals are exploiting the BlueKeep vulnerability to access computers and control them without the users’ knowledge.”
Ongoing Emotet and BlueKeep campaigns
News about hackers actively exploiting Windows devices not patched against the BlueKeep vulnerability broke on November 2 after security researcher Kevin Beaumont noticed that his honeypots were crashing because of BlueKeep attacks, as later confirmed by security researcher Marcus Hutchins.
BlueKeep (CVE-2019-0708) is a serious security issue affecting Windows 7, Windows Server 2008 R2, and Windows Server 2008 that can enable malware to spread between connected systems without user intervention. The issue was patched by Microsoft on May 14, with security companies and governments issuing a wave of alerts about its severity.
However, home users’ vulnerable Windows systems are not currently tracked and, at the moment, they are potentially the most exposed to attacks given that security is not always at the top of the list for consumers.
The second cybersecurity threat the ACSC warns about is Emotet, a banking trojan first spotted during 2014 that has evolved into a dangerous botnet used to drop numerous other malware strains like the Trickbot banking Trojan (known for delivering Ryuk ransomware payloads).
Security researchers speculate that the Emotet botnet is being operated by a threat actor tracked as TA542 by ProofPoint and as Mummy Spider by CrowdStrike. The group “rents” the botnet to other actors as it was the case with the group behind TrickBot that rented distribution from the Emotet botnet.
The Emotet botnet’s command and control (C2) servers resumed activity and started delivering malware payloads again on August 22 after a short hiatus since the beginning of June.
Following this, the ACSC announced that Australia’s Cyber Incident Management Arrangements (CIMA) to Level 3 – ‘Alert’ on October 25, “in response to the widespread exploitation of vulnerable systems by the Emotet malware.”
“The threat posed by this malicious software required immediate action at the national level to ensure Australian organisations, from critical infrastructure providers to small businesses, receive mitigation advice to protect their networks,” Noble added.
On September 16, after less than a month since its C2 servers reactivated, the Emotet botnet started delivering malspam around the globe, with emails distributing Emotet payloads being spotted in attacks targeting individuals, business, and government entities from the U.S., Germany, the United Kingdom, Poland, and Italy.
Cofense told BleepingComputer that spam messages were coming from 3,362 compromised senders, and the total count of unique domains used in the attacks reaching 1,875 and covering over 400 TLDs.
The Emotet botnet arose from the grave yesterday and began serving up new binaries. We noticed that the C2 servers began delivering responses to POST requests around 3PM EST on Aug 21. Stay vigilant and keep an eye out for any updates as we monitor for any changes.
— Cofense Labs (@CofenseLabs) August 22, 2019
The ACSC provides technical advice on Emotet that should allow you to protect against malware and ransomware threats, while Microsoft provides its own recommendations for protecting against attacks designed to exploit the BlueKeep vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a list of BlueKeep mitigation measures in June and urges Windows admins and users to review the Microsoft BlueKeep Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708 for more info.
“While you are watching your TV or eating dinner with your family, a cybercriminal can use your computer to mine and profit from untraceable digital currency, and you may never know that this has occurred,” Noble added.
“The unfortunate truth is that once a cybercriminal can access your computer, they can control your computer. If they find valuable data, like your personal information and photos, they can steal it.”