The Australian Government is currently aware of, and responding to, a sustained cyber targeting of Australian governments and companies by a sophisticated state-based actor.

The tactics, techniques and procedures utilised in this cyber campaign have been investigated by the Australian Cyber Security Centre (ACSC) and are described in Advisory 2020-008.

“Malicious cyber activity is increasing in frequency, scale, in sophistication and in its impact. It’s vital that all Australian organisations are alert to this threat and take steps to protect their own networks.” – Linda Reynolds, Australian Minister for Defence


Summary

The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure – primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.

Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.

The ACSC has also identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:

  • links to credential harvesting websites
  • emails with links to malicious files, or with the malicious file directly attached
  • links prompting users to grant Office 365 OAuth tokens to the actor
  • use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.


Actions

Two key actions for greatly reducing the risk of compromise by the tactics, techniques and procedures identified in Advisory 2020-008 are:

1. Prompt patching of internet-facing software, operating systems and devices.

“All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.” – Australian Cyber Security Centre (ACSC)

2. Use of multi-factor authentication across all remote access services.

“Multi-factor authentication should be applied to all internet-accessible remote access services.” – Australian Cyber Security Centre (ACSC)

This includes web and cloud-based email, collaboration platforms, virtual private network connections and remote desktop services.


Beyond these two key actions, the ACSC strongly recommends implementing the remainder of the ASD Essential Eight controls. The ACSC strongly recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring.

The NIST Cybersecurity Rapid Score service offered by Forsythes Technology covers the ASD Essential Eight controls, and more.


We’re Here to Help

As always, we are equipped and prepared to assist our customers with complying with these directives and maintaining a best practice cybersecurity posture.

Please contact your account manager for assistance or enquire now for a prompt response and action plan.