Australia targeted of ‘sophisticated state-sponsored’ cyber attack

Scott Morrison, the country's prime minister, says the attacks have targeted all levels of the government - as well as political organisations, essential service providers and operators of other critical infrastructure.

"We know it is a sophisticated state-sponsored cyber actor because of the scale and nature of the targeting," he said at a news conference.

Mr Morrison has stopped short of naming the country responsible for this "malicious" activity, but warned: "There are not a large number of state-based actors that can engage in this type of activity."

This has been interpreted as a coded reference to China, which the Australian government reportedly suspects of being behind the attacks.

An advisory note posted on the government’s Australian Cyber Security Centre website describes the attack as a “cyber campaign targeting Australian networks”.

The advisory says the attackers are primarily using “remote code execution vulnerability” to target Australian networks and systems. Remote code execution is a common type of cyber attack in which an attacker attempts to insert their own software codes into a vulnerable system such as a server or database.

The attackers would not only try to steal information but also attempt to run malicious codes that could damage or disable the systems under attack.

Detecting this is hard, and would require advanced defensive measures such as penetration testing, in which trained security professionals known as “ethical hackers” try to hack into a system in an attempt to find potential vulnerabilities.

Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks

Overview
This advisory details the tactics, techniques and procedures (TTPs) identified during the Australian Cyber Security Centre’s (ACSC) investigation of a cyber campaign targeting Australian networks. These TTPs are captured in the frame of tactics and techniques outlined in the MITRE ATT&CK framework.

Campaign summary
The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.

The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.

When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:

  • links to credential harvesting websites
  • emails with links to malicious files, or with the malicious file directly attached
  • links prompting users to grant Office 365 OAuth tokens to the actor
  • use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.

In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

EU grants €38 million for protection of critical infrastructure against cyber threats

The Commission announced today that it is committing more than €38 million, through Horizon 2020, the EU's research and innovation programme, to support several innovative projects in the field of protection of critical infrastructure against cyber and physical threats and making cities smarter and safer.

Mariya Gabriel, Commissioner for Innovation, Research, Culture, Education and Youth, said, "Over the past years we have offered our support to research and innovation actions in the area of cybersecurity that contribute to better protecting key infrastructure and the people living in European smart cities. I am pleased that today we are able to offer yet another significant amount of funding through Horizon 2020 towards security, privacy and threat mitigating solutions.”

Thierry Breton, Commissioner for Internal Market, added, "Securing network and information systems and enhancing cyber resilience are key for shaping Europe's digital future. As we are faced with a diverse array of cybersecurity threats, the EU is taking concrete measures to protect critical infrastructures, cities and citizens. More investments at EU and national level in innovative cybersecurity technologies and solutions are of paramount importance to strengthen EU's resilience to cyberattacks.

Three projects (SAFETY4RAILS, 7SHIELD and ENSURESEC) will work to improve prevention, detection, response and mitigation of cyber and physical threatsfor metro and railway networks, ground space infrastructure and satellites, as well as e-commerce and delivery services. Two additional projects (IMPETUS and S4ALLCITIES) aim at enhancing the resilience of cities' infrastructures and services and protecting citizens in case of security incidents in public spaces.

The projects are expected to start between June and October 2020 and will run for two years. The Research Executive Agency will manage the five selected projects and has finalised the preparation and signature of grant agreements with the beneficiaries.

The EU's financial contribution is provided in the form of grants that can be up to 100% of the project’s total budget. All projects were selected for funding under a competitive call for proposals Protecting the infrastructure of Europe and the people in the European smart cities, under the Societal Challenge 7 ‘Secure societies’ launched on 14 March 2019.

The support is part of the EU's commitment to build a strong cybersecurity culture and enhanced capabilities to resist and respond effectively to potential cyber threats and attacks.