It has been announced that the Australian Government is responding to a sustained targeting of the Australian public and private sector by a sophisticated state-based actor. The Australian Cyber Security Centre (ACSC) has issued a warning to Australian organisations, to both be aware of this threat and take immediate steps to enhance the resilience of their networks.
We set out below a summary of the notice and what organisations need to do in response to this government issued public warning. Given the highly public nature of this warning (coming from the Prime Minister's Office and Minister for Defence) we recommend that all organisations pass this warning to their IT team or managed service provider for actioning.
ACSC public warning of cyber threat
The Australian Government has explained that it is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.
The ACSC's investigations have labelled this cyber campaign as "copy-paste compromises". The threat actor is understood to be utilising tools copied from open source, to leverage a number of initial access vectors.
The threat actor has been observed to be targeting public-facing infrastructure, particularly through vulnerabilities in unpatched versions of Telerik UI, Microsoft Internet Information Services, 2019 SharePoint and 2019 Citrix.
There is also evidence that the threat actor is utilising 'spearphishing' techniques, including:
- links to credential harvesting websites;
- emails with links to malicious files, or with the malicious file directly attached;
- links prompting users to grant Office 365 OAuth tokens to the actor; and
- use of email tracking services to identify the email opening and lure click-through events.
Consistent with its mission of supporting the private sector enhance its resilience against cyber risk, the ACSC has provided the community with a list of indicators of compromise detailing the tactics, techniques and procedures identified. This is so that steps can be taken to prevent against identified cyber risk, which we set out below.
We also recommend that any active cyber incident investigations have regard to this public issued warning to identify whether activity can be linked to this notice, and ensure appropriate action is taken. This may include contacting the ACSC for further assistance, through the online reporting portal: https://www.cyber.gov.au/report.
What do organisations need to do?
The ACSC has recommended the following two key risk mitigation steps which organisations should implement now to reduce the risk of compromise:
- Patch internet-facing software, operating systems and devices within the next 48 hours - All exploits used by the actor in the course of its campaign are publicly known and there are patches or mitigation steps available. Where possible, use the latest versions of software and operating systems.
- Use multi-factor authentication across all remote
access services - Multi-factor authentication needs to be
applied to all internet-accessible remote access services,
- web and cloud-based email, including Microsoft Office 365;
- collaboration platforms;
- virtual private network connections; and
- remote desktop services.
Beyond this, the ACSC strongly recommends:
- implementing the remainder of the Australian Signals Directorate Essential Eight controls; and
- implementing and reviewing its guidance on Windows Event Logging and Forwarding and System Monitoring. A lack of comprehensive logging can reduce the overall effectiveness and speed of incident containment and investigation.
More information is available here:
- For the complete advisory: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
- For assistance in the protection of information: https://www.cyber.gov.au/ism
- For further strategies to mitigate cyber security incidents: https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents
Thanks to Emily Wood for her contributions to this article.
Originally published JUNE 19 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.