CISA alert warns of Emotet attacks on US govt entities

The CISA agency is warning of a surge in Emotet attacks targeting multiple state and local governments in the US since August.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

According to the experts from CISA the Emotet attacks were targeted on US government entities.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

The alert published by CISA was based on data provided by the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the CISA itself since July 2020.

“Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.” reads that alert published by CISA.

“To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.”

According to CISA, the surge in the attacks has rendered this malware one of the most prevalent ongoing threats.

TOP10 last week’s threats by uploads#Emotet 1186 (2292)#Njrat 125 (242)#AgentTesla 91 (123)#Qbot 82 (126)#Trickbot 70 (87)#Ursnif 68 (76)#Nanocore 68 (63)#Dreambot 66 (75)#Formbook 49 (72)#Lokibot 44 (36)https://t.co/98nRpXOxWw— ANY.RUN (@anyrun_app) October 5, 2020In mid-September, cybersecurity agencies across Asia and Europe warned of Emotet spam campaigns targeting businesses in France, Japan, and New Zealand. At the end of September, agencies in Italy and the Netherlands, and researchers from Microsoft issued new alerts about the spike in Emotet activity.

Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages. pic.twitter.com/POppQ51uMX— Microsoft Security Intelligence (@MsftSecIntel) September 22, 2020CISA and MS-ISAC recommend admins and users to use antimalware solutions to block suspicious attachments and to block suspicious IPs addresses.

The report includes mitigations, Indicators of Compromise (IoCs) and MITRE ATT&CK Techniques.

The post CISA alert warns of Emotet attacks on US govt entities appeared first on Security Affairs.