Multiple IT network infrastructures that belong to the Australian government and private sector organizations have been targeted by a large-scale cyber attack seeking to disrupt the work of the government as well as the operations of the essential service providers.
Australian Cyber Security Centre (ACSC) has revealed the tactics, techniques and procedures (TTPs) identified during the investigation carried out by them.
This adversary aims to share the TTPs with the Sri Lankan/South Asian organizations in order to help them take necessary precautionary actions against these type of large scale cyber security incidents.
In this incident, the attackers have leveraged a number of initial access vectors including:
- Remote code execution vulnerability in unpatched versions of Telerik UI – CVE-2019-18935
- De-serialisation vulnerability in Microsoft Internet Information Services (IIS) (Reference 03)
- Microsoft SharePoint vulnerability – CVE-2019-0604
- Remote code execution vulnerability in Citrix Application Delivery Controller and Citrix Gateway – CVE-2019-19781
Further the attackers have also used various spear-phishing techniques such as:
- Links to credential harvesting websites
- Emails with links to malicious files, or with the malicious file directly attached
- Links prompting users to grant Office 365 OAuth tokens to the actor
- Use of email tracking services to identify the email opening and lure click-through events.
Whenever possible attackers have migrated to legitimate remote accesses using stolen credentials to avoid/minimize the detection of presence of attackers through security monitoring solutions. When the access is obtained, attackers have primarily used HTTP/HTTPS traffic to conduct the command and control.
Recommendations
As key mitigation techniques, below recommendations have been proposed:
- All the internet facing operating systems, applications and devices need to be patched with latest security updates.
- Applying multi-factor authentication to all internet-accessible remote access services.
Additionally the below listed recommendations shall also be implemented:
- Apply necessary controls to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
- Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
- Operating system and application hardening. For example configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
- Restrict administrative privileges based on the least privilege principle.
- Maintaining regular backups (daily, weekly) of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months.
In addition to the above, it is essential to enable logs including operating system logs ( Microsoft Windows event logs), web server logs (Access log, error logs, SSL Logs) and internet proxy logs at least for internet accessible servers and applications in order to help digital forensic investigations.
References
- https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
- https://www.cyber.gov.au/threats/advisory-2020-004-telerik
- https://www.cyber.gov.au/threats/advisory-2020-006-active-exploitation-vulnerability-microsoft-internet-information-services