The Australian Government recently released an advisory (2020-008: Copy-Paste compromises) regarding a sophisticated state-sponsored attacker performing a sustained cyber-attack against Australian government and non-government organizations. Such attackers are considered ‘Advanced Persistent Threats’ (APT) with significant amounts of resources and time to prepare and execute attacks across many different architectures and platforms (depending on their target).
Details of these attacks indicate that the attacker:
• Uses proof-of-concept exploit code, web shells and other tools copied almost identically from public sources (leading to the name Copy-Paste). This makes attribution more difficult and demonstrates the ability to readily adapt any ongoing security vulnerability disclosures.
• Their tools and techniques are designed for evading detection and involve little or no disruption or destruction.
◦ The attacker has been spotted targeting development and other pre-production environments which are publicly exposed and poorly updated or maintained.
◦ The attacker lurks within organizations using legitimate credentials established during an initial compromise.
◦ The attacker used compromised (Australian) websites to further exploit or control other endpoints. As these were normally trusted, and ordinary web protocols and ports were used, this escaped normal detection.
◦ The advisory notes that existing monitoring was often incomplete / decentralized (HTTP logs) and existing standard practices for mitigation ineffective (geo-restriction).
The ‘Indicators of Compromise’ (IOC) indicate that the adversary is:
• Targeting Windows environments, however the attackers leverage alternative vectors of compromise when their primary exploitation of public-facing systems fail.
◦ In this case, the actor uses a number of different spear-phishing techniques for credentials harvesting and triggering additional malicious payloads.
• The main applications being exploited are systems for remote access such as Citrix, and web services such as Telerik UI, Microsoft IIS and Microsoft Sharepoint.
• Dropbox and OneDrive are also used for phishing or malware distribution.
This attack has highlighted severe gaps in the cyber-resilience of Australian organizations. The Australian government in response is announcing its largest-ever investment towards both cyber-defensive and cyber-offensive capabilities.
New Zealand organizations should be similarly prepared and acknowledge that the frequency, intensity and complexity of cyber-attacks are increasing (for reasons such as political, financial or Intellectual Property gain) with many state-sponsored entities around the world being implicated. In its current state, many organizations are still not able to correctly defend against even low-grade attackers with publicly available exploits, or adequately detect a compromised system or credential.
• Adequate monitoring and management of threats both internally and externally:
◦ Monitoring and maintaining IOCs in a defensive system and firewalling
◦ Comprehensive event logging (notably for access and credentials)
◦ Broad engagement in risk / threat modelling and threat analysis.
• Keeping all systems up to date:
◦ Inventory of systems, including non-production environments
◦ Monitoring of patch levels, patch policy and timely patching.
• Planning for (timely and responsive) incident response:
◦ Backups (for recovery)
◦ Effective log analysis systems
◦ Incident reporting procedures
◦ Practising incident response (like other disaster events).
• Wide usage of multi-factor authentication
• Increasing security awareness:
◦ Individual level – Reporting incidents and anomalies
◦ Organizational level – Company-wide threats and escalation procedures.
Appendix: Indicators of compromise (IOC)
The following are listed indicators from the original ACSC advisory which should be used for filtering and monitoring within any network environment: