There is currently a large scale cyber intrusion that appears to be aimed at Australia’s government and private sector. The scale of this sophisticated attack is enormous, and all businesses that run internet facing systems are a target.
What are the details of this massive attack?
According to ACSC, “The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”
This attacker then has the ability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. If that doesn’t work, this piece of malware then moves to use spear phishing attack methods, including links that can harvest login credentials, emails containing malicious files (either via links or direct attachments), links granting Office 365 access, and email behaviour tracking.
Once initial access is achieved, the attacker is able to grant themselves legitimate remote accesses using those stolen credentials. From there, the legitimate Australian websites are compromised as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.
We don’t know what exactly they plan to do with this control yet, as the ACSC has not identified any intent to carry out any disruptive or destructive activities within victim environments, but it’s clear that they’re certainly up to no good.
How can you protect yourself and your business from this massive cyber attack?
We’ve discussed the issues of these vulnerabilities in the past, where 8 of the 10 most exploited bugs in 2019 were Microsoft Products, but not because Microsoft has vulnerabilities, rather the reasoning is that people and businesses don’t regularly update their Microsoft Products, which allows for a sort of “back door” for these malicious attacks to get in and get access to your data. So first and foremost, you must ensure that all of your software and operating systems are up to date and using the latest versions. If there are patches available, be sure to utilise them right away.
Additionally, this is a good reminder to utilise Multi-Factor Authentication, as this particular cyber attack appears to work by granting itself access to internal systems, which could be avoided if you use Multi-Factor Authentication for all system logins. The ACSC recommend that all internet-accessible remote access services implement Multi-Factor Authentication.
Most people and businesses don’t know that they are at security risk until it’s too late. If you want to put your system to the test, we recommend Penetration Testing, which is where a dedicated security team finds the flaws and backdoors in your systems by attempting to penetrate them.
This is a very large scale cyber attack, but if you follow all of the recommendations above, you’ll be in very good shape.
Be safe out there, until next Malware Monday…