Lessons to Learn from Recent Cyber Attacks in Australia

Multiple IT network infrastructures that belong to the Austrailian government and private sector organizations have been targeted by a large-scale cyber attack seeking to disrupt the work of the government as well as the operations of the essential service providers.

Australian Cyber Security Centre (ACSC) has revealed the tactics, techniques and procedures (TTPs) identified during the investigation carried out by them.

This advisory aims to share the TTPs with the industry peers to increase the awareness and to take necessary precautionary actions against the emerging threat landscape.

Attackers have leveraged number of initial access vectors including:

• Remote code execution vulnerability in unpatched versions of Telerik UICVE-2019-18935
• Deserialisation vulnerability in Microsoft Internet Information Services (IIS) (Reference 03)
• icrosoft SharePoint vulnerabilityCVE-2019-0604
• Remote code execution vulnerability in Citrix Application Delivery Controller and Citrix GatewayCVE-2019-19781

Further the attackers have also used various spearphishing techniques such as:

• Links to credential harvesting websites
• Emails with links to malicious files, or with the malicious file directly attached
• Links prompting users to grant Office 365 OAuth tokens to the actor
• Use of email tracking services to identify the email opening and lure click-through events.

Whenever possible attackers have migrated to legitimate remote accesses using stolen credentials to avoid/minimize the detection of presence of attackers through security monitoring solutions. When the access is obtained, attackers have primarily used HTTP/HTTPS traffic to conduct the command and control.

Recommendations:

As key mitigation techniques, below recommendations have been proposed:

• All the internet facing operating systems, applications and devices need to be patched with latest security updates.
• Applying multifactor authentication to all internet-accessible remote access services.

Additionally the below listed recommendations shall also be implemented:

• Apply necessary controls to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
• Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
• Operating system and application hardening. For example configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
• Restrict administrative privileges based on the least privilege principle.
• Maintaining regular backups (daily, weekly) of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months.

In addition to the above, it is essential to enable logs including operating system logs ( Microsoft Windows event logs), web server logs (Access log, error logs, SSL Logs) and internet proxy logs at least for internet accessible servers and applications in order to help digital forensic investigations.
Reference:
[1] https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
[2] https://www.cyber.gov.au/threats/advisory-2020-004-telerik
[3] https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services
[4] https://www.cyber.gov.au/publications/essential-eight-explained
[5] https://www.cyber.gov.au/publications/windows-event-logging-and-forwarding