The Prime Minister of Australia has announced that “a sophisticated state-based cyber actor” is currently targeting a large number of Australian organisations, be it essential service providers, political organisations, or operators of other critical infrastructure.
In a statement issued earlier today, Prime Minister Scott Morrison said the massive cyber activity is currently targeting “Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers, and operators of other critical infrastructure.”
He added that his government knows the cyber activity is being carried out by a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used. What is worrying is that even though cyber activity targeting Australian organisations has been going on for some time, the frequency has been increasing of late.
“The Australian Government is aware of and alert to the threat of cyber-attacks. Our objective is to raise awareness of these specific risks and targeted activities and tell you how you can take action to protect yourself.
“Cyber security is a shared responsibility of us all. It is vital that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks,” he added.
The state-based cyber actor has been using tried-and-tested exploits to target Australian organisations
According to the Australian Cyber Security Centre, the state-sponsored cyber actor behind the ongoing cyber attacks has been leveraging public exploit proof-of-concepts to target networks of interest and is also exploiting public-facing infrastructure through the use of remote code execution vulnerability in unpatched versions of Telerik UI.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.
“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability,” ACSC said.
The cyber security watchdog added that if attacks on public-facing infrastructure fail, the cyber actor uses various spear-phishing techniques to gain entry into targeted networks. These phishing techniques involve the use of links to credential-harvesting websites, emails with malicious links and files, and links prompting users to grant Office 365 OAuth tokens to the actor.
Even though the cyber attacks are widespread and have impacted almost every Australian industry, they are not necessarily sophisticated as the cyber aactor is using known exploits for which patches and mitigations are already available. Therefore, organisations can keep their networks secure by applying the latest securuty patches to internet-facing infrastructure within 48 hours.
continuous visibility is of paramount importance in order to detect and mitigate weaknesses in networks
Commenting on the Prime Minister’s statement, Sam Curry, a chief security officer at Cybereason, said that foreign actors are regularly testing the resiliency of networks in both the public and private sectors and this is nothing new to Australia.
“How they respond is important and they are likely prepared. Australia, the United States, and other democratic nations may not be facing a traditional enemy with guns and tanks on the battlefield, but they are constantly fighting a host of adversaries in the digital space. Unless we work with our international allies and devise a better strategy to confront this threat, it is far from certain that we will emerge victorious.
“Organisations can start to turn the table on cyber adversaries by increasing the amount of threat hunting it is doing in its environment, hiring trained security analysts to investigate suspicious activity and use a qualified provider of endpoint security technology to protect mobile devices, laptops, iPads, work stations, and all connected devices,” he added.
According to Eoin Keary, CEO and founder of Edgescan, there is a general belief that government networks and systems, of which there are thousands, with network the scale of a huge enterprise, are underfunded and less secure than private corporation systems. Nation state actors will hunt for anything which will give them a foothold across the full stack of a network.
“The challenge for governments is trying to stay on top of the constant flow of new vulnerabilities that are discovered on a daily basis. When securing systems at such a large scale, continuous visibility is of paramount importance in order to detect and mitigate weaknesses in a timely manner. Continuous testing and vulnerability detection are also key. The days of annual, once-off pen-testing just don’t scale to defend against industrial level hacking by nation-states or large cybercrime groups,” he added.