CYBER ATTACKS - AUSTRALIA (Analysis)

Sophisticated attacks from ‘State-based actor’

Abstract

This initial report/analysis is an attempt to knuckle down and present a summary of Prime Minister’s press conference on the sophisticated attacks on Australian government and organizations by the ‘state-based actor’. This report provides analysis on the Australian foreign relations with China, which give rise to the speculations, security expert discourse and news reports. Moreover, this report describes the ACSC’s advisory and provide an easy to grasp summary of the detection and the mitigation recommendations that should be engaged to transcend companies current security posture.

ACSC Advisory 2020-008

Status: The Australian government is currently engaged in responding to a sustained targeting of government and companies by the sophisticated state-based actors.

State-Based Actor using ‘Copy-paste compromises’ TTPs which includes exploiting code, web shells, and other tools copied almost identically from open source.

PM News Conference

The briefing on 19th June 2020, premier Scott Morrison didn't name any specific state, however, from the statements, many have concluded that the level of sophistication signal only a few countries that could be sponsoring such activities.

Speculation Background

Most recently, the rift between Australia and China relationship after the COVID19 outbreak, Australia’s demand for an independent inquiry, highlighting it as a strategic victory for the draft motion passed in the World Health Assembly backed by 116 of the assembly’s 194 member state, definitely has made a dent in the diplomatic relationships. 

Australia has ruled out that its a trade war even though China placed barely tariff right after a push for coronavirus inquiry. Even before the COVID19, the blanket ban on Huawei/ZTE 5G equipment despite the assurances has further given rise to the speculations against China.  

The head of Australian Strategic Policy Institute and a former senior defence official commented, "There is one country that has the skill, depth of capacity and a real motive to want to do it and that is China", Peter Jennings told Guardian Australia. 

But does this matter and helping ordinary people? Read my views on why we should not draw any conclusions.

State Actor Attribution, Is it worth it?

Even though, PM haven’t attributed to a specific state sponsoring these attacks, based on the speculation background presented earlier, which sort of pointing fingers, we have to ask crucial questions, 

• Are these state actors new phenomenon or business as usual? 
• Do we have to mention them in public? 
• What benefit will we reap by alerting the public? Can they do something about it? 
• Do the public know or care about the term “state-based actor”? 

What I believe is that attributing at this stage is just a distraction and we should focus on defending our assets and if there are some indications and you want to send a strict note, please deal on the government level. 

So let’s focus and re-shift our energy in understanding and implementing ACSC advisory below.

Let's evaluate ACSC Advisory 2020-008 and get prepared

As per the advisory, it is a ‘Copy-paste compromise’ which is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source,” the ACSC said. 

1)ACTOR’s Initial Access Vector

A)  Most prominent is the exploitation of public-facing infrastructure — mainly through the use of vulnerability to remote code execution in unpatched Telerik UI versions.

Telerik offering software tools for web, mobile, desktop application development, tools and subscription services for cross-platform application development, as the state-based actors are trying to exploit the vulnerability to remote code execution, following latest releases should be examined especially where remote support is one of the application requirement

i)            Telerik UI for ASP.NET Core & Telerik UI for ASP.NET MVC

ii)          Kendo UI for jQuery

Please review the release below for further information.

Telerik UI Latest Release R2 2020

B)  The Exploitation of a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability. Follow the link below for these vulnerabilities and review your systems to make sure your organisation are not exploited using these known vulnerabilities

i)            Deserialisation Vulnerability Advisory

ii)          2019 SharePoint Vulnerability

iii)         2019 Citrix Vulnerability

The actor has demonstrated the ability to leverage public exploitation proofs-of-concept to target networks of interest and conduct a regular probe of the target networks seeking vulnerable services. 

The actor maintains a list of public-facing services and swiftly targets public-facing services as soon as any future releases of the vulnerability that could be exploited. Usually, organizations are slow to respond and sometimes leave their systems vulnerable for years. 

As per the ACSC's statement, state-actors did not get any success based on their initial access attack vector. The second part of ACSC's advisory focused on raising awareness on their phishing attacks, which is the most common method of attack. 

2)ACTOR’s Spear Phishing Techniques

As Phishing is the most common method employed by any threat actor, the increased in the attack frequency are related to 

• links to credential harvesting websites
• emails with links to malicious files, or with the malicious file directly attached
• links prompting users to grant Office 365 OAuth tokens to the actor
• use of email tracking services to identify the email opening and lure click-through events.

To understand in detail on Phishing, its techniques, how to identify and mitigate, please review my article at the following link 

Learn to Avoid Phishing Hooks

Once the Spear phishing is successful, the actor utilizes open-source custom tools to persist on and interact with the victim’s network and establishing a command and control without being detected. 

The actor was identified in interacting with victim networks making use of compromised legitimate Australian websites as servers of command and control. The command and control were carried out mainly using site shells and HTTP / HTTPS traffic.

During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

3)Detection and Mitigation Recommendation

Other than the Detection and Mitigation recommendation shared above (Patching internet-facing applications, operating systems and devices), following are the Essential Eight that your organization should evaluate and highly recommend by ACSC to implement. My top 3 recommended and must-have essentials are 

• Application Control: Prevent all non-approved applications from execution. Especially those whom you allowed installation privileges. The policy should be reviewed and stricter control to be implemented
• Multi-Factor Authentication: This means stronger user authentication, which may include Application generated code or hardware-based key or SMS to your phone to authenticate along with your credentials (User/Password). VPN (Virtual Private Network), RDP (Remote Desktop Protocol), SSH (Secure Shell) or any other remote access should employ Multi-factor authentication when privileged users access your critical and sensitive data. 
• Patch Application: Review all applications and should be using the latest applications. Any apps that are old and obsolete where the support is no longer available from the vendor should be disposed of. All Apps should be patched within 48 hrs. of its release. 

For further details on essential eight, follow the link below for ACSC’s recommendation

Essential Eight

4)ACSC’s Recommendation for general MITRE ATT&CK Techniques

ACSC further recommends general ATT&CK techniques for detection and mitigation and to consult ‘Mitigations’, ‘Data Sources’ and ‘Detection’ sections of MITRE ATT&CK technique web page. 

For Mitigation, https://attack.mitre.org/mitigations/enterprise/

For Data sources, https://attack.mitre.org/docs/attack_roadmap_2019.pdf which defines 12 of those data sources to show the techniques each of them might be able to detect with the right collection and analytics.

For detailed ACSC’s advisory on the Incident of Compromise and code examples, the full list of indicators of compromise and associated signatures is available in the associated indicators released under the 2020-008 identifier

• ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
• ACSC-Advisory-2020-008-Copy-Paste-Compromises-Indicators-of-Compromise.csv
• ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt

Summary

To summarize, ‘state-based actors’ are always a threat and consistently looking to infiltrate government entities for evident reasons. As security experts, we should focus our energies in securing networks, defending and mitigating incidents and upgrading our resources to counter these sophisticated attacks and leave the ‘state-based actor’ issue with government’s relevant agencies.

References 

• ACSC Advisory
• ACSC
• Essential Eight
• Parliament of Australia
• Corona Virus Global Independent Inquiry
• Guardian Reporting