The Australian government has revealed that a “sophisticated” state-based cyber attack has been targeting both public and private sector organisations.
Prime Minister Scott Morrison announced the threat Friday morning, saying that the attack is targeting a range of sectors across all levels of government, political organisations, education, health, essential service providers and operators of other critical infrastructure.
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting, and the trade craft used,” Morrison told journalists.
Morrison added the attacks were not new, though the frequency, scale and sophistication had been increasing. He said there was no indication of large-scale personal data breaches.
The Australian Cyber Security Centre released an advisory overnight, calling the attacks “copy-paste compromises” due to the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.
“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI,” the advisory read.
The ACSC added the actor also exploited a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and a 2019 Citrix vulnerability.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the ACSC added.
“The actor has also shown an aptitude for identifying development, test and orphaned services thatare not well known or maintained by victim organisations.”
When the actor fails to exploit the public-facing infrastructure, it would then attempt to use spearphishing techniques through the following:
- Links to credential harvesting websites
- Emails with links to malicious files, or with the malicious file directly attached
- Links prompting users to grant Office 365 OAuth tokens to the actor
- Use of email tracking services to identify the email opening and lure click-through events.
Once the actor gets through, it would then use a mixture of open source and custom tools to persist on, and interact with, the targeted network by migrating to legitimate remote accesses using stolen credentials.
The ACSC said the actor was found to use compromised legitimate Australian web sites as command and control servers with the use of web shells and HTTP/HTTPS traffic, rendering geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.
To mitigate the attacks, the agency advised affected organisations to patch internet-facing infrastructure within 48 hours and use the latest versions of software and operating systems.
Other recommendations include the use of multi-factor authentication across all remote access services and following the Australian Signals Directorate’s Essential Eight controls.