Large scale cyber campaign targeting Australian public and private sector

It has been announced that the Australian Government is responding to a sustained targeting of the Australian public and private sector by a sophisticated state-based actor. The Australian Cyber Security Centre (ACSC) has issued a warning to Australian organisations, to both be aware of this threat and take immediate steps to enhance the resilience of their networks.

In a nutshell the notice advises what organisations need to do in response to this government issued public warning. Given the highly public nature of this warning (coming from the Prime Minister’s Office and Minister for Defence) we recommend that all organisations pass this warning to the C level team or your managed service provider like Go Systems to action.

The ACSC public warning of current cyber threat.

The Australian Government has explained that it is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

The ACSC’s investigations have labelled this cyber campaign as “copy-paste compromises”. The threat actor is understood to be utilising tools copied from open source, to leverage a number of initial access vectors.

The threat actor has been observed to be targeting public-facing infrastructure, particularly through vulnerabilities in unpatched versions of Telerik UI, Microsoft Internet Information Services, 2019 SharePoint plus 2019 Citrix.

There is also evidence that the threat actor is utilising ‘spear phishing’ techniques, including:

  • links to credential harvesting websites;
  • emails with links to malicious files, or with the malicious file directly attached;
  • links prompting users to grant Office 365 OAuth tokens to the actor; and
  • use of email tracking services to identify the email opening and lure click-through events.

Consistent with its mission of supporting the private sector enhance its resilience against cyber risk, the ACSC has provided the community with a list of indicators of compromise detailing the tactics, techniques and procedures identified. This is so that steps can be taken to prevent against identified cyber risk, which we set out below.

We also recommend that any active cyber incident investigations have regard to this public issued warning to identify whether activity can be linked to this notice, and ensure appropriate action is taken. This may include contacting the ACSC for further assistance, through the online reporting portal: https://www.cyber.gov.au/report

What do organisations need to do?

The ACSC has recommended the following two key risk mitigation steps which organisations should implement now to reduce the risk of compromise:

  • Patch internet-facing software, operating systems and devices within the next 48 hours – All exploits used by the actor in the course of its campaign are publicly known and there are patches or mitigation steps available. Where possible, use the latest versions of software and operating systems.
  • Use multi-factor authentication across all remote access services – Multi-factor authentication needs to be applied to all internet-accessible remote access services, including:
  • Web and cloud-based email, including Microsoft Office 365;
  • Collaboration platforms;
  • Virtual private network connections; and
  • Remote desktop services.

Additional to this, the ACSC strong also recommends

  • implementing the remainder of the Australian Signals Directorate Essential 8 controls; and
  • implementing and reviewing its guidance on Windows Event Logging and Forwarding and System Monitoring. A lack of comprehensive logging can reduce the overall effectiveness and speed of incident containment and investigation.

For more information you can go to:

  • For the complete advisory: https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
  • For assistance in the protection of information: https://www.cyber.gov.au/ism
  • For further strategies to mitigate cyber security incidents: https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents