The Australian Government announced this morning that they have been monitoring persistent and increasing volumes of cyber attacks by a foreign state-based actor on Australian Government and Private sector businesses.
While specifics are still trickling in, , our research is suggesting that this attacker is using numerous ways to attack. Most of them makes use of existing open source tools & packages, which ACSC has dubbed as “copy-paste compromises”. The primary attack method is either via exploiting internet facing infrastructure OR via spear-phishing attacks. It is evident that attacks have been escalating in recent months and provides a timely reminder of the need to have an effective cyber security program in place to protect from the devastating effects of such cyber attacks.
How it works
Attackers are targeting internet facing infrastructure relating to vulnerabilities in Citrix, Windows IIS web server and Telerik UI.
Where these attacks fail, they are moving to spear-phishing attacks. Spear phishing is most commonly an email or SMS scam targeted towards a specific individual or organisation but can be delivered to a target via any number of electronic communication mediums. Although often intended to steal data for malicious purposes, it is also effective in bypassing our weakest defences (people) to install malware on a targeted user’s computer.
What are the risks?
If an organisation is breached it could lead to combination of the business impacts, including:
- Theft of business data
- Destruction or impairment to financial data, creating extended business interruptions
- Financial loss
- Reputational loss
- Compliance breaches
- Legal action
The resultant cost of the risk will depend on how many systems have been affected, what type of systems have been affected, extent of the data compromised or interruption to business operations.
When does an attack take place?
The attackers are actively scanning the cyber space for internet facing infrastructure that have existing vulnerabilities which can be exploited using the “copy-paste compromise” technique. At present, they have been able to exploit the following systems to allow arbitrary code execution.
- Telerik UI – is a software product used for developing web applications. The vulnerable versions are those released between 2007 & 2017. Further details on vulnerabilities are provided in CVE-2017-9248, CVE-2017-11317 and CVE-2017-11357.
- Microsoft IIS – is a software product used to host internet facing web applications. At this time, all versions of Microsoft IIS are deemed to be affected.
- Microsoft Sharepoint – is a collaboration software used to host, modify & share files. The vulnerable versions are those released between 2010 to 2019. Further details on this vulnerability is provided in CVE-2019-0604.
- Citrix – is a software that enables remote access to organization’s IT network. The vulnerability affects multiple versions of Citrix & its older Netscaler product. Further details on vulnerability is provided in CVE-2019-19781.
NOTE: the Microsoft vulnerabilities are all applicable only on the on-premise version of the product. These vulnerabilities do not affect similar cloud services offered by Microsoft.
The other technique adopted by the attackers is Spear Phishing. In the spear-phishing emails, the attacker attaches files or includes links to a variety of destinations that include:
- Credential harvesting sites – which are genuine looking but fake web sites that prompts targets to enter their username and password. Once the gullible target provides the credentials, these are then stored in attackers’ database and are used to launch credential based attacks against the organization’s IT infrastructure and applications.
- Malicious files – files are attached to the email. These look legitimate but once downloaded, they will execute a malicious malware on the target device. Common file types are .doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .gif, .mpg, .mp4, .wav
- OAuth Token Theft – OAuth is a technology that is commonly used on the internet to authenticate a user to wide variety of other platforms. This attack technique uses OAuth tokens generated by a platform and shared with other platforms. An example of this is a website that asks users to authenticate using their facebook or google accounts in order to use its own services. Faulty implementation of OAuth renders such integration to cyber attacks.
- Link Shimming – is the technique which includes using email tracking services to launch an attack. The attackers send fake emails with valid looking links & images inside using email tracking services. Once the user receives the email, it tracks the actions related to opening the email & clicking of the links. Such tracking services can reveal when the email was opened, location data, device used, links clicked, and IP addresses used. The links once clicked can in turn lead to malicious software being stealthy downloaded on the target system and/or luring the user for credential harvesting.
Who does it target?
As of the time of writing the advisory does not provide specifics other than to say government and private sector organizations in Australia have been targeted for an extended period of months and on an increasing scale.
Why does it succeed?
The most common causes of why these types of attacks are successful are:
- Lack of user awareness
- Unpatched or out of support internet facing systems
- Application or system misconfiguration
- Inadequate or poorly maintained device security controls
- Weak threat detection & response programs
How can it be prevented?
The ACSC is highlighting the Australian Signals Directorates ‘Essential 8’ mitigations, which MyEmpire agrees are effective mitigations for a large majority of present-day attacks.
As immediate measures to understand if you have been compromised, we recommend investigating the Indicators of Compromise from ACSC’s advisory, and also conducting vulnerability scanning and patch updates to all systems urgently, to ensure you have no exploitable systems.
The organizations that tend to have strong & mature information security programs are more immune. The following preventive measures help address the risks:
- Conduct regular user awareness training on common cyber threats
- Conduct regular phishing tests to check user awareness level
- Patch the mentioned internet facing products as recommended by their vendors
- Establish baseline security standards for applications & systems
- Apply multi factor authentication to access critical applications & systems – especially internet facing & SaaS products widely used in the organization like O365
- Follow regular vulnerability scanning & remediation regimes
- Conduct regular penetration testing on internet facing applications & systems
- Apply security settings on endpoints and internet gateways that disallow download & execution of files from unfamiliar sources
- Maintain an active threat detection & response program that provides for intrusion detection, integrity checks, user & system behavior monitoring and tools to maintain visibility of potential attacks and incidents (e.g Security Information & Event Monitoring (SIEM) tools)
- Maintain a robust incident management program that is reviewed and tested at least annually
- Maintain a comprehensive backup regime – especially for critical data – including offsite/offline backups, and regular testing of backups for data integrity
- Restrict & monitor usage of administrative credentials