Prime Minister Scott Morrison has formally addressed Australia this morning, stating that our organisations are being targeted by a sophisticated state-based actor. The Government have attributed the ongoing malicious activity to a nation state actor because of the scale and nature of the targeting and the tradecraft being used. [1]
As stated, this activity is not new but increasing. NCC Group has been detecting and responding since the beginning of the year to a number of the attack vectors published in ACSC Advisory 2020-008: Copy-Paste Compromises [2] [3], including Common Vulnerabilities and Exposures (CVEs):
- Telerik UI - CVE-2019-18935 [4]
- Citrix Products - CVE-2019-19781 [5]
- Microsoft SharePoint - CVE-2019-0604 [6]
All exploits utilised by the actor in the course of the released campaigns were publicly known and had patches or mitigations available. Our Security Operations Center (SOC) had the advisories and other Indicators of Compromise (IoCs) in our detection capability, and we continue to update and contribute to our global threat intelligence capability [7].
These attacks do harm Australia’s economic interest, and as stated by the PM, it is important that all Australians are aware and take steps to protect their own networks.
To expand on the ACSC recommendations, it is important that all Australian businesses take the following steps:
- Ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours;
- Implement Multi-Factor Authentication for all internet-accessible remote access services and where not supported apply strict access controls;
- Conduct vulnerability assessments and penetration testing of internet-facing systems and hardware [8] [9]
- Deliver security awareness training regarding targeted phishing attacks to your employees [10] [11
- Implement an effective cyber incident response capability[12]
As addressed by Linda Reynolds, the Minister for Defence, alongside the Prime Minister this morning, businesses should consider becoming an ACSC partner in order to receive the latest information to protect their organisations online. Additionally, organisations should monitor multiple vulnerability advisory websites and their vendors’ websites for any software used within the organisation. The ACSC threat advisory website can be monitored here https://www.cyber.gov.au/threats.
Most importantly, if your organisation suspects they have been compromised, do call our Australian emergency incident response hotline on 1800 975 310 or +61 (0)2 83797870.
If you have any concerns or need help and advice implementing any of these recommendations, please contact us on +61 (0) 2 9552 4451 or email us at apac@nccgroup.com.
[1] The Government says 'sophisticated' cyber-attacks are routinely carried out against all levels of government, industry and business. To watch the PM’s announcement visit: https://www.abc.net.au/news/2020-06-19/scott-morrison-cyber-attack-presser-australia/12372854
[2] ACSC Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks. For more information visit: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
[3] ACSC Advisory 2020-008: Copy-paste compromises. For more detailed information visit:
[4] Telerik UI - CVE-2019-18935 - Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.) For more information visit:
https://nvd.nist.gov/vuln/detail/CVE-2019-18935
[5] Citrix Products - CVE-2019-19781
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal and is actively being exploited over the Internet to compromise affected products. For more information visit:
https://nvd.nist.gov/vuln/detail/CVE-2019-19781
[6] Microsoft SharePoint - CVE-2019-0604
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. For more information visit:
https://nvd.nist.gov/vuln/detail/CVE-2019-0604
[7] Our expert threat intelligence services provide information on which threat actors are out there, what their intent is and which tactics, techniques and procedures they use to execute attacks. Our services include; Open Source Intelligence collection and analysis on personnel, threat actors or organisation related data / information. Darkweb Intelligence collection and analysis to support organization defensive operations. Cyber Intelligence collection and analysis on emerging indicators of compromise or threat actor behaviour. For more information visit:
https://www.nccgroup.com/au/our-services/cyber-security/threat-intelligence/
[8] Our Online Cyberstore has quick and easy ways to be up and running with initial external network vulnerability scanning. For more information visit:
https://cyberstore.nccgroup.com/our-services/service-details/69/external-network-scanning
[9] Our technical security assessment and penetration testing services support identifying all vulnerabilities mentioned and more. We can help you mitigate the threat of a cyberattack. You can call us on +61 (0) 2 9552 4451 or email us at apac@nccgroup.com. For more information visit:https://www.nccgroup.com/au/our-services/security-consulting/technical-security-consulting/penetration-testing/
[10] Our cyber security training and awareness programme will take people from being unaware of cyber security and how they are supposed to behave to the point where they are proactively behaving in a way that reduces the people risk element of cyber security. For more information visit:
To help raise cyber security awareness within your organisation in relation to these attacks, you need to understand your staff’s susceptibility to phishing. Consider our consultant-led phishing simulation. You can call us on +61 (0) 2 9552 4451 or email us at apac@nccgroup.com
[11] To further understand the targeted phishing attacks we recommend reading ACSC’s detailed PDF advisory from page 7. This includes as a summary:
T1192 – Spearphishing Link -
- The actor attempted to steal credentials for target networks by using a spearphishing link to a HTML form based credential harvesting web page owned and controlled by the actor. The actor attempted to hide the final destination of the credential harvesting page from email recipients by abusing open URL redirects.
- Links to Malicious PowerPoint Files. The actor also sent spearphishing emails to a small number of users on target networks, enticing them to download a malicious Microsoft PowerPoint document hosted within DropBox and OneDrive.
- Links to OAuth Token Theft Applications When other Spearphishing Link and Spearphishing Attachment sub-techniques were unsuccessful, the actor attempted to send links in order to trick users in granting an OAuth token to the actor. This token would then allow the actor access to the user’s Office 365 Outlook email.
T1193 – Spearphishing Attachment - Utilising spearphishing emails with the malicious PowerPoint file attached to the email.
[12] We can help with Incident response services. Specifically, around incident response planning and our retained incident response capability visit the links below respectively.