German cities under attack by Emotet botnet

The German city of Frankfurt am Main was attacked by the Emotet botnet. As a result of this, computer systems used by the city’s services had to be temporarily taken offline. Similar cyberattacks were also faced by three organizations in other German cities – the Justus Liebig University in Gießen, the city administration of Bad Homburg, and the Catholic University in Freiburg.

Emotet is malware designed to install other malicious software on infected devices. It is distributed primarily via phishing emails that include links to websites hosting malicious content or malicious attachments (PDF or Microsoft Word documents). PDF documents contain links to malicious sites and Microsoft Word documents have embedded macros and include instructions on enabling them. One distinctive feature of the malware is that, among other things, Emotet operators use the Malware-as-a-Service scheme, enabling other criminal groups to rent access to computers infected with Emotet and install their own malware, such as ransomware.

In the case of the Justus Liebig University in Gießen, after infecting the university’s network, Emotet was used to deploy Ryuk ransomware. That incident was the first of the attacks on German cities, but it was not promptly detected.

For security reasons, passwords for all university email accounts at the Justus Liebig University, whether used by students of staff, were reset and about 38,000 people had to queue over a period of five days to get their new email passwords.

The Catholic University in Freiburg was the next victim of Emotet, followed by Frankfurt am Main and Bad Homburg. All attacked organizations had to take down their computer networks to prevent the malware from spreading further.

Frankfurt was hit the hardest of all Emotet attack victims: as a result of the infection, all computer systems and services of the city were taken offline, including its website and public transport ticketing service.

According to mass media reports, Frankfurt’s IT systems became infected after an employee opened a malicious email attachment.

In connection with Emotet attacks on German cities, Germany’s federal cybersecurity authority (BSI) has sent security warnings to German organizations to provide them with information on the Emotet malicious phishing campaign.

Sources: Hessenschau, ZDNet, BSI