As you will be aware of by now, the Prime Minister warned Australians of a “sophisticated, state-based cyber actor” targeting Australian organisations and all tiers of government.
But is the sky really falling and if it is, will we all be equally devastated when it crashes down? And what are the risks associated with the reported attacks? This post aims to provide you with some of that information.
According to the ACSC documents (there is a summary one and a more detailed one) that were referenced in the press conference, the attackers are reportedly targeting a number of vulnerabilities in various commercial software, in order to gain initial access to systems:
- Telerik UI – CVE-2019-18935.
- VIEWSTATE handling in Microsoft IIS Servers
- Citrix Products – CVE-2019-19781
- Microsoft SharePoint – CVE-2019-0604
Patches have been available for all of these vulnerabilities for between 3 and 7 months. For example, the Telerik UI vulnerability is described in CVE-2019-18935; a patch was released for this vulnerability 2019, and the vulnerability can be freely demonstrated and exploited with metasploit. An organisation that has not applied these patches doesn’t need to just worry about “significant state-based cyber actors”; any attacker with the slightest clue can exploit these vulnerabilities with very little effort.
Let's go phishing!
In the event that the attackers are unable to exploit the above vulnerabilities, they are apparently falling back to good-old spear-phishing attacks. It is reported that the attackers are using various methods for this, such as:
- Sending emails to targets which contain links to credential harvesting websites (i.e. phishing sites). The attackers are reportedly masking these URLs by exploiting open redirect vulnerabilities.
- Sending emails to targets which contains links to download malicious Microsoft PowerPoint documents from OneDrive and DropBox, as well as simply attaching the Microsoft PowerPoint document to the email.
- Sending emails to targets which contain links to OAuth token theft applications.
- Sending emails to targets that contain images that allow the attackers to identify users that have opened the email, and therefore in turn, identifying them as a more susceptible target.
It is reported that the attackers are making use of compromised Australian websites for command and control servers. It is suspected that this is being done to bypass geo-IP blocking mechanisms and to appear innocuous to administrators monitoring DNS and proxy traffic.
Once again, none of this is sophisticated or uncommon. While the press conference might imply that other governments are responsible for some/lots of these attacks; they’re not the only ones in the game. Just review this year’s news reports for evidence of organised criminal attacks on businesses in sectors as varied as logistics, transport, brewing, cloud, finance and wool sales. If a business does not implement application whitelisting, privileged account management and user education, phishing is probably the easiest and most sure-fire way for an attacker to get into their organisation.
So is the sky really falling?
Not all of it… but some fairly heavy chunks have been crashing down for a while now and some of the newer threats (like ransom-ware attackers now leaking stolen data as well as encrypting it) have resulted in consequences (think Toll, MyBudget, Lion and Landmark White) that have been both high-profile and expensive.
To some extent, it doesn’t matter if the attackers are random individuals, organised criminals or overseas governments: If we consider the vulnerabilities and attacks that were described in the PM’s press conference, then the likelihood and consequences (a.k.a. risk) of a successful attack could easily be reduced with some foresight and planning. The press conference referred to known vulnerabilities for which patches exist, and to tactics and techniques that are not terribly sophisticated. An organisation that has solid, documented and verified security policies and processes in place should be alert, but not alarmed.
If on the other hand the press conference has made you realise that you’re behind the eight-ball, than that’s a good thing because now you can make some (in many cases quite simple) improvements to your organisational security standing.
Two of the ASD Essential 8 controls relate to patching. If you’re reading this because you haven’t patched the vulnerabilities described in the government announcement, then you may need to act quickly: You need to patch all Internet facing software, operating systems and devices as soon as possible (i.e. within a time that is measured in hours and days, not weeks and months). Once that’s done however, you need to plan, document, implement and review (monthly) your Patch Management and Vulnerability Management policies and procedures. You should separate administration (applying the patches and managing the vulnerabilities) from compliance (ensuring the patches and vulnerabilities are managed according to policy) and you should report on compliance as discussed in Point 3 below.
2) Implement two-factor authentication. Everywhere. Especially on Cloud services!
Two-factor authentication is the most common example of MFA or Multi-Factor Authentication. The idea is to reduce the attacker’s opportunities by reducing the total reliance on passwords, the most commonly used single factor of authentication. DotSec strongly recommends that all Internet accessible systems should be configured to accept only two factor authentication, according to documented identity and access management policy and procedures. This includes, but is not limited to:
• Email and file sharing services,
• Remote access connections,
• Company portals, and
• Office 365 and similar “cloud” services.
Two-factor authentication is (again) a part of the ASD’s Essential Eight strategies for mitigating information security incidents.
3) Get your SIEM (alerting and reporting) in order
Without proper alerting and reporting, it is difficult, if not impossible to detect and respond to attacks from internal or external adversaries. We understand that trialling, developing and implementing such a system in a timely manner is not practical for a lot of businesses, so please give us a call today if you require assistance. DotSec has deployed alerting and reporting security solutions (SIEM) for many national customers.
4) Work through the other ASD Essential Eight strategies
While most people in IT are familiar with the ASD Essential Eight strategies for mitigating information security incidents, a lot do not implement them. We covered off three already in points one and two! No time like the present to get started on the rest. Note that we list “the rest” here because implementation of controls like Application Control (white listing) and Administrative Account management will require a bit of planning and so will take longer to implement. If you are worried that you might fall foul of the attacks that were discussed in the government’s press conference, you should get started with the low-hanging fruit (patching, MFA and logging) right away. But don’t forget to put in place a plan that will bring you back to the remaining controls in a timely manner.
Call a mature 20 year-old!
With over 20 years of experience, DotSec can help you plot a calm, rational course that takes into account your risks, budget and in-house skills. We can help you understand and comply with security frameworks, we can manage your info/cyber security services, and we can help you to develop a prioritised, risk-based approach to securing your organisation’s assets.
Please see here on our website for more information on DotSec’s informed organisation security assessments, or give us a call.