ACSC issues national alert over trojan linked to Vic Health attack

The Australian Cyber Security Centre has started banging its urgent cyber alert gong over a torrent of trojans now being aimed at business and government users, saying at least 19 organisations have been hit by ‘Emotet’ malware.

It says that the attachment-borne payload is the same that preceded a hobbling ransomware attack against regional Victorian hospials and health services that was attributed to Ryuk malware.

The public facing arm of the secretive Australian Signal’s Directorate on Friday escalated its warnings on the phishing based attack, with ACSC chief Rachel Noble issuing a national alert.

“Due to the scale of the campaign, and the risk of economic impact, the National Cyber Security Committee (NCSC) has activated the national Cyber Incident Management Arrangements (CIMA) to Level 3 – Alert”.

At a broad level, the CIMA is set of interjurisdictional agreements that set out how agencies across the federal, state and local sectors will coordinate across Australia’s maze of intergovernmental connections.

The arrangements matter because many local governments, especially regional councils control critical infrastructure that can be heavily impacted if councils and state governents are compromised or hobbled, as happened recently in Victoria.

(More on how the CIMA alert system works at the end of this story.)

According to ACSC, the current campaign uses both targeted and untargeted phishing emails to push the Trojan.

"Upon infection of a machine, Emotet attempts to spread within a network by brute-forcing user credentials, and writing to shared drives. Emotet has been observed downloading a secondary malware, called Trickbot, onto infected machines," an ACSC threat advisory said.

"Trickbot is a modular multi-purpose command-and-control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network."

The ACSC has not characterised the origin of the attack, saying only that “cyber criminals use malware for different reasons, most commonly to steal personal or valuable information from which they can profit, hold recipients to ransom or install damaging programs onto devices without your knowledge.”

However the chairman and chief executive of key defence systems and services provider Unisys, Peter Altabef, last week told iTnews he believed that ransomware attacks were increasingly being used as a smokescreen for state sponsored attacks.

Altabef is a member of the US President’s National Security Telecommunications Advisory Committee.

The laundry list of urgent cyber fixes for enterprises has also swollen over the last two week, with key enterprise vendor Oracle also shunting a clutch of urgent vulnerability patches, two of which affected its financial services products and rated 9.8 and 10 in terms of urgency.

Banks are also privately expecting an uptick in fraud efforts and stolen credential milking as merchants and institutions face tougher online payment requirements after the AusPayNet finally released a new framework that demands two factor authentication for many transactions.

ACSC chief Noble is imploring people to pay attention and take precautions.

“If Emotet infects your computer, it will open up a backdoor that will allow the cybercriminal to inject ransomware that could freeze your network,” Noble said.

How the CIMA hierarchy works 

According to ACSC, "the CIMA bridges the current gap between a localised cyber security incident handled by an individual state, and Australia’s national crisis management arrangements.

"If a national cyber incident reaches a crisis level, the CIMA will operate in support of jurisdictions’ respective crisis management arrangements," an updated guide says.

The CIMA categorises cyber incidents under National Cyber Security Arrangements (NCSA) from Level 5 to Level 1: 

Level 5: Normal Conditions

Level 4: Lean Forward

Level 3: Alert

Level 2: National Cyber Incident

Level 1: National Cyber Crisis