It has been reported that Australia is currently the target of a “sophisticated” cyber attack – and an unnamed foreign government is behind it. Scott Morrison, the country’s prime minister, says the attacks have targeted all levels of the government – as well as political organisations, essential service providers and operators of other critical infrastructure. “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting,” he said at a news conference.
Cyber-attacks come in all forms, and the attacker defines the rules of their attack. In this case, the attacker has chosen to disrupt business and governmental activity in Australia. Ignoring speculation on the origins of the attack, its usage of multiple attack vectors makes it more sophisticated than you might experience with a standard phishing or ransomware attack.
The Australian Cyber Security Centre has identified the primary attack mode as an attempted exploitation of the Telerik UI ASP.Net vulnerability covered in CVE-2019-18935 which if successful provides the ability to remotely execute code on the now compromised web server. If this attack mode isn’t successful, the attacker attempts to exploit remote execution vulnerabilities in IIS, SharePoint and Citrix ADC and Citrix Gateway. Each attack mode uses available proof-of-concept exploit code for the relevant target software, and the attacker is reported to have an ability to identify orphaned, development and test instances of the vulnerable software. Should these primary modes yield no results, the attackers then move on to a more traditional spear-phishing attack.
From a defender’s perspective, having an attacker able to identify softer targets such as those in public facing development and test systems should be particularly concerning as these systems are often deployed outside of normal IT constraints and protections. They are also likely not subject to production monitoring and may not have a rigorous patch management program in place. An attack such as we’re seeing illustrates that attackers can discover weaknesses in organizations of all sizes. Having a comprehensive inventory of software assets is a cornerstone of most patch management strategies, but if that inventory doesn’t include all assets, including test systems, how they might be connected to a public network or if there are any latent vulnerabilities, then these coverage gaps can be exploited – it just takes additional sophistication.
The most alarming element of the multi-faceted cyber-attack launched on Australian organisations is the risk it poses to Australia’s critical infrastructure – the very services on which society depends including our water supply, power grids and telecommunications systems.
Cyber-attacks on businesses are damaging enough, but the impacts of a successful attack on any of these critical services could be catastrophic, such as shutting down the electricity grid.
Critical infrastructure often eludes the public’s attention as a major source of cyber risk, but it remains highly susceptible to targeted attacks, as past experience shows.
Earlier this year Israel’s wastewater treatment plants suffered a series of co-ordinated attacks. Fortunately, there was no significant damage. In 2015 an attack on Ukraine’s power grid left 230,000 people without power for up to six hours.
Today’s announcement by the Prime Minister illustrates the need for sophisticated cyber security practices, policies, and technology to protect our critical infrastructure. Australia cannot afford to suffer catastrophic damage to its critical infrastructure at the best of times, and thanks to COVID-19 these are far from the best of times.
It is vital that it is not just Australian organisations that are on alert to this threat, as the whole world must take steps to enhance the resilience of their networks. Although this is not a direct result of COVID-19, there is an assumption that increased working from home enables such attacks to operate more easily.
The attackers used various spearphishing techniques including links in their cleverly designed emails to target their prey. Spearfishing has a remarkably high success, rate due to the believability factor. The bad actors do their homework perfectly and launch convincing and plausible individual emails on their victims. Multiple hit rates increase the velocity of the attack too. Once the initial access was achieved, the bad actor would have used an array of custom tools to interact with the targeted network.
Lessons must be learned from every attack and frustratingly, the exploits used in this campaign were publicly known. It is imperative that other organisations at risk of attack update and patch their systems to the latest software versions immediately as this would have reduced the volume. Government or not, all organisations should ensure that the latest security patches are applied to internet facing infrastructure at all times, and procrastination is never an excuse.
Where possible, multi factor authentication should also be applied to all remote access services such as email and remote desktop services.
Prime Minister Morrison knows that this isn\’t the first time his country has come under cyber attack, as companies of all sizes in the public and private sector have gone through this drill many times over. We used to say loose lips sink ships, but today loose clicks can sink a company in any industry whether it be in the critical infrastructure, healthcare, retail or banking spaces. Hacking is a game of cat and mouse, and the mouse is getting bigger; it\’s very motivated to embarrass democracies and it is usually well-funded. Because the Australian government is regularly under cyber attack, and these incidents rarely make headlines, the timing of Morrison\’s announcement could spell an uptick and severity of the actions of a foreign state.
Foreign actors are regularly testing the resiliency of networks in both the public and private sector and this is nothing new to Australia. How they respond is important and they are likely prepared. Australia, the United States and other democratic nations may not be facing a traditional enemy with guns and tanks on the battlefield, but they are constantly fighting a host of adversaries in the digital space. Unless we work with our international allies and devise a better strategy to confront this threat, it is far from certain that we will emerge victorious.
The basics of improving security hygiene for both businesses and consumers includes being cyber smart and not clicking on links in your emails from people you are not familiar with. Stop visiting suspicious websites and if something smells fishy it probably is. Instead of going to a website from a random link you receive in email, visit the site directly from your browser as phishing scams are still the most popular way for companies to be breached because individuals continue to be the weakest link to protecting proprietary data. Organizations can start to turn the table on cyber adversaries by increasing the amount of threat hunting it is doing in its environment, hiring trained security analysts to investigate suspicious activity and use a qualified provider of endpoint security technology to protect mobile devices, laptops, iPads, work stations and all connected devices.
We have seen a steady increase in government APT groups over the last decade. As can be seen from the wide targeting of this group, it\’s important to remember that preventive security is important and that anyone in infrastructure, or services, for governmental entities are viable and likely targets for the groups. If you work in those sectors, your IT security may well be of national importance.
Many breaches and attacks are accomplished by failing to do the basics – regardless of who the attacker is. The vast majority of breaches and attacks today are the result of known but unpatched vulnerabilities. Threat actors don’t need to develop or pay for zero-day flaws in software. They can simply leverage publicly available exploit code for vulnerabilities that have patches available, honing in on a window of opportunity where organisations have yet to apply these patches. “Now more than ever, organisations need to have a strong understanding of their systems and determine where they’re vulnerable. As a first step, organisations need to practice cyber hygiene, such as identifying critical risks and patching systems with common vulnerabilities favoured by criminals, blocking malicious sites and IP addresses, enforcing multi-factor authentication, implementing security awareness training and using encryption. These recommendations make it far harder for criminals to be successful.
The address by Australia’s Prime Minister and Defence Minister is a timely reminder that cyber-security is a serious issue and affects every aspect of Australian life. Everybody has a role to play in keeping us safe from cyber-security threats.
Sophisticated threat actors, state-based threat actors, have significant capabilities, and do not rest in their efforts to gain footholds into our systems, applications and data. It is important that governments, businesses and individuals take cyber-security remain vigilant and continue to improve their cyber-security practices.
We have entered a new era of business and government, where cyber-attacks pose an existential threat to business and can cripple the machinery of government.
The address acts also as a signal to the threat actors responsible that the government and some in the private sector are aware of the attacks, interestingly two specific controls, patching internet facing systems (protecting the edge of networks), enforcing multifactor authentication for users (protecting the users), were specifically called out by the Defence Minister. This indicates that attackers likely operated sophisticated targeted phishing campaigns to capture usernames and passwords from victims and were possibly in possession of 0-day vulnerabilities against systems or used older vulnerabilities on systems that are difficult to patch.
While Australia across has significant capabilities in cyber-security and an active cyber-security community, unfortunately not all organisations are at the same level, with many organisations simply not having right capabilities. We are also struggling with a skills shortage, with unfilled cyber-security roles in every sector, that means many of the skills end up in the top end of town and large departments, leaving small and medium business and government agencies exposed.
The announcement on the cyberattacks on Australian institutions is a concerning, but not unexpected, reminder of the level of serious cyber threat activity that occurs in our country and our region. There have been a significant number of high profile incidents reported in Australia in recent times, and this adds another report of significant cyber threat activity to the mix.
The Australian Prime Minister and Minister for Defence do not undertake these sort of briefings lightly, and the consistent message from them was that this was state sponsored activity which raises the national security focus of the announcement. There is considerable geo-political tension occurring at the moment involving Australia and, from our experience, we know that state sponsored cyber threat activity directly replicates geo-political tensions so it would be plausible to assume this reported activity and announcement is connected.
FireEye is aware of the reported incidents and the type of exploitation of systems that are occurring and have seen only a few related impacts to our customer base. However, we are seeing an increasing focus by both state sponsored and criminal cyber threat actors on exploiting Common Vulnerabilities and Exposures (CVE’s) soon after they are announced publicly when victims systems are not patched quickly enough, and we deal with state sponsored threats against our customers on a daily basis.
The information provided in the Australian Government ACSC advisory on this issue is very detailed and provides good guidance and serves as a timely reminder to ensure organisations maintain vigilance in the cyber security programs including the use of patching and multi-factor authentication in their networks. These threats will continue, and it is unfortunate that we continue to see an increase in cyber threat activity as our world becomes more technologically dependent.
With the news of compromises of the Australian government and other organizations, many people are concerned about who is behind the activity. I would urge caution in jumping to conclusions about attribution, particularly when there is limited public information. Attribution is particularly challenging for this activity due in part to the adversary’s reuse of open source code, leading to the Australian Cyber Security Centre (ACSC) report title “Copy-Paste Compromises.” The tools mentioned in the ACSC report like Cobalt Strike and PowerShell Empire have been used by many adversaries of differing motivations and sophistication levels, so their use does not clearly point to a certain adversary.
The best thing for organizations to do is to examine the reporting shared by the ACSC and consider how to mitigate and detect the tactics, techniques, and procedures (TTPs) that were used. For example, ACSC notes that adversaries gained initial access by exploiting vulnerabilities in public-facing software such as Telerik UI, a technique we commonly see. Organizations should ensure Telerik UI and other software is updated to the latest version to prevent exploitation of known vulnerabilities.
Security professionals should also consider how they can detect TTPs by following recommendations in the ACSC report or from other sources like the Red Canary 2020 Threat Detection Report. The TTPs discussed in the ACSC report are not new – these are the same TTPs we see adversaries use on a daily basis. Ultimately, organizations and individuals should resist the urge to overreact to when there is a major incident like this. Organizations who have a defense-in-depth strategy focused on mitigations like patching as well as behavioral-based detections should feel confident that those approaches help reduce risk regardless of what adversaries they face. Security professionals should also be sure to carefully review and vet all TTPs and indicators from the ACSC report and any other sources, as the ACSC report includes an IP address used for internal networking that would be detrimental to performance if blocked.
As cyberthreat actors evolve and gain sophistication, many governments including in Australia have recognised this and are taking steps to address the situation For a start, kudos to the Australian administration for openly communicating the recent attacks. It’s encouraging to see that the relevant authorities are monitoring this closely and have the necessary visibility. Cyberattacks are the most used method to root out and steal intellectual property and other valuable or sensitive information. You cannot stop these attacks from occurring, so having comprehensive visibility across the IT networks for all agencies is critical to enable rapid detection, response and neutralisation of threats.
While it\’s good to hear the Australian PM reminding everyone that this sort of state-sponsored attack is constant and pervasive, what he\’s not telling everyone is that vulnerability to this sort of attack is a question of cost. For the information and systems that really matter – typically those processing Secret classified information – Australia like other advanced nations has strong security measures that provide good protection against even the most sophisticated attacks. But across the world these strong security measures are not typically deployed to protect \”less sensitive\” systems such as citizens\’ personal information, or critical services and infrastructure. In a world where sophisticated attacks are targeting these critical aspects of society is it really sustainable to continue protecting them at a lower level of security?
This alleged cyber-attack is further evidence of the need for businesses to ensure their cybersecurity practices are robust and mitigation measures up-to-date. At Mimecast, our recent State of Email Security report found that 60% of organisations believe it\’s inevitable that they\’ll fall victim to an email-based attack over the course of the next year. There is no doubt that such attacks are on the rise at an alarming rate, compounded by the COVID-19 pandemic and the resulting restrictive measures forcing many people to work remotely.
Despite this increased threat, over half of organisations – 55% – don\’t provide any sort of email security training on a frequent basis. This has the potential to leave the network and the people who use it vulnerable to cyber-attacks – and organisations must ensure that people are properly informed about online risks. Regular awareness training based on current threats is a must. By educating staff from the board level down, security decision makers can ensure that employees can spot suspicious activity when it occurs, understand the risk of the malicious activity, and manage their company-issued devices appropriately.
When our Government institutions, Government Agencies, health and essential industry, education, infrastructure, and the private sector are attacked like this the first question asked is ’how is this possible’. The answer is because the cyber criminals are incredibly sophisticated and no matter how hard we try we are never going to stop them. We all want to know how access was obtained – through phishing, insider threats, ransomware all of which are attributed to human error. Or was access gained through unpatched software.
The risks we face from state actors will only increase as this is the world we live in now. The updated cybersecurity strategy is due out in the coming months and it can\’t come too soon. Cybersecurity is everyone\’s responsibility and as individuals we need to protect ourselves personally. Business owners need to protect their infrastructure and people. The Government need to protect our essential services and infrastructure.
There will undoubtedly be more information coming out in the coming days and weeks as to the specifics of the attackers. The ACSC advisory indicated that the attackers tried to compromise public-facing software, and where that wasn\’t possible they reverted to spearphishing. While protective actions include advising organisations to patch systems and deploy MFA, it\’s surprising to see they didn\’t also recommend user awareness and training, which is a key component of a layered strategy in defending against spearphishing and other social engineering attacks.
We can expect to see more brazen attacks by groups against government and private organisations, and a comprehensive and layered cybersecurity strategy is vital to ensuring the ongoing security.
The potential impact of an attack on critical national infrastructure should not be understated. As smart buildings, cities and the Internet of Things become more common, vulnerabilities are growing, and state sponsored attackers are on the lookout for ways in. The lines between cyber and physical are blurring and this raises the stakes for all involved – increasing the likelihood of unintentional escalations and further complicating international relations. With such prospects, it is now the time to supercharge the cyber defense of the world’s critical digital infrastructure with advanced technologies. This will ensure that nations are resilient and can prevent data breaches or system compromise once attackers are inside – both at machine-speed and in real time.
The practice of stealing intellectual property in this way has been going on for a very long time. And this highly targeted phishing technique or ‘spear phishing’ is presenting itself as a huge risk to governments and companies across the board. Cybercriminals utilise information from social media profiles, even using advanced technology such as AI to improve the scale and fidelity of threats. This enables them to fine tune phishing emails to look more and more like the real thing, creating targeted, personal emails to trick even the savviest recipient into believing the correspondence is genuine.
In order to limit the impact of these attacks, the key focus should be on awareness. Employees need to understand the risks to business, why installing software updates, and clicking links within emails should be done with great care. However, this is not always possible, and enterprises will need to look beyond traditional solutions, investing in proven next generation threat intelligence offerings coupled with email filtering to help remove these lures from inboxes.
Nation state attacks are not uncommon and occur on a continuous basis so it’s interesting that this was highlighted by the Australian government.
There is a general belief that government networks and systems, of which there are thousands, with network the scale of a huge enterprise, are underfunded and less secure than private corporation systems. Nation state actors will hunt for anything which will give them a foothold across the full stack of a network.
The challenge for governments is trying to stay on top of the constant flow of new vulnerabilities that are discovered on a daily basis. When securing systems at such a large scale, continuous visibility is of paramount importance in order to detect and mitigate weakness in a timely manner. Continuous testing and vulnerability detection is also key. The days of annual, once-off pentesting just don’t scale to defend against industrial level hacking by nation states or large cybercrime groups.
The technical details of the attack issued by the Australian Government point to China as a likely state actor. Although the techniques and vulnerabilities exploited are not new, the scale, sophistication and targeting are consistent with Chinese cyber-attacks against the Australian parliament, and other organisations and companies in many democratic countries.
Chinese state cyber-attacks of this type are not new but have progressed from large scale and low sophistication to high grade, carefully targeted attacks in recent years. China still harvests intellectual property from the private sector on an industrial scale, but the sophistication of its targeted attacks against states is increasingly alarming.
We need to collectively find ways of raising the cost of cyber-attacks by China and other states. That starts with calling them out but should lead to concerted economic and diplomatic sanctions.
Offensive cyber capabilities have niche uses but in general, the best responses to wholesale cyber-attacks of this kind will be economic and political sanctions. Although we need offensive cyber capabilities, investment in better cyber defenses, and cybersecurity across the economy is the top priority and always will be.