The Australian government has been the target of a state-based cyber attack, according to Prime Minister Scott Morrison. The Australian Cyber Security Centre (ACSC) has released an advisory Friday morning on the tactics, techniques and procedures utilised. However, it has also revealed that no destructive activities have actually taken place.
We don’t know much about the attackers or which organisations have been targeted. The PM has not named the country behind the attack but said “we know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the trade craft used.”
Government, industry, political organisations, education, health and service providers were also targeted, according to the PM. He did not expand one specific organisations.
While the full details aren’t available, we do know a little about how this happened.
The Australian Cyber Security Centre releases cyber attack report
According to the ACSC, ‘Copy-paste compromises’ have been used as part of “the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.”
The bad actor is said to be utilising various initial access vectors to target, amongst other things, public-facing infrastructure “primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.”
Telerik is a Bulgarian company that offers a suite of software and web tools. Basically, the attackers were able to take advantage of companies using versions of Telerik’s user interface services that weren’t updated.
The ACSC revealed the attackers were also able to exploit vulnerabilities in online software such as Microsoft Internet Information Services, SharePoint and Citrix.
Public proof-of-concepts were used as well, ACSC said. “[The attackers have] also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations,” the organisation added.
Phishing was also involved in the cyber attack
Spear phishing was another tactic used in the cyber attack. Spear phishing is a more personalised, targeted form of phishing, using emails or electronic scams designed to steal data or install malware. Regular phishing attacks can be pretty easy to spot. Others, especially highly personalised attacks, can appear legitimate.
In this attack, the ACSC said that the following techniques have been employed:
- Links to credential harvesting websites
- Emails with links to malicious files, or with the malicious file directly attached
- Links prompting users to grant Office 365 OAuth tokens to the actor
- Use of email tracking services to identify the email opening and lure click-through events.
In cases where the attacks worked, networks can be compromised and accessed remotely via stolen credentials.
“In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations,” the ACSC said.
It’s important to note that the ACSC advisory says no damage actually occurred as a result of the attack.
“During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”
The ACSC recommends that affected organisations patch all “internet-facing software, operating systems and devices.” It also encourages multi-factor authentication for remote access services.