Australian organisations should adopt enhanced cyber security

Prioritise these actions to defend against malicious cyber activity.

Organisations should prioritise the following actions to mitigate against threats posed by a range of malicious cyber actors. Many actors use common techniques such as exploiting internet-facing applications and spear phishing to compromise victim networks. Organisations should ensure they have implemented mitigations against these common techniques and are prepared to detect and respond to cyber security incidents. The following four actions will improve an organisation’s resilience in the current threat environment.

  • Patch applications and devices, particularly internet-facing services. Monitor for relevant vulnerabilities and security patches and consider bringing forward patch timeframes.
  • Implement mitigations against phishing and spear phishing attacks. Disable Microsoft Office macros by default and limit user privileges. Ensure that staff report all suspicious emails received, links clicked, or documents opened.
  • Ensure that logging and detection systems are fully updated and functioning. Prioritise internet-facing and critical network services and ensure that logs are centrally stored.
  • Review incident response and business continuity plans. Plan responses to network compromise as well as disruptive or destructive activity such as ransomware. Ensure these plans are known to and actionable by staff and are accessible even when systems are down.

Organisations should also review the Essential Eight and prioritise remediating any identified gaps in Essential Eight maturity. Following this, organisations should review technical details associated with any specific threats they have identified as relevant and incorporate these into monitoring and response plans.

Context

There are no specific or credible cyber threats to Australian organisations currently.

Following the attack on Ukraine, there is a heightened cyber threat environment globally, and the risk of cyber-attacks on Australian networks, either directly or inadvertently, has increased. While the ACSC has no specific intelligence relating to a cyber-attack on Australia, this could change quickly.

It is critical that Australian organisations are alert to these threats and take steps to adopt an enhanced cyber security posture and increase monitoring for threats. These actions will help to reduce the impacts to Australian organisations of any cyber-attacks.

On 23 February 2022, the ACSC released the alert: Australian organisations encouraged to urgently adopt an enhanced cyber security posture. This Technical Advisory provides additional information to support entities to take appropriate actions to secure their systems and networks.

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a publicly accessible knowledge base of adversary tactics and techniques based on real-world observations.

This advisory draws on information derived from ACSC partner agencies and industry sources.

Destructive malware targeting organisations in Ukraine

The ACSC is aware of reporting that threat actors have deployed destructive malware to target organisations in Ukraine. This advisory provides additional indicators of compromise (IOCs) to assist organisations to detect the WhisperGate, HermeticWiper, IsaacWiper and CaddyWiper destructive malware.

Destructive malware can present a direct threat to an organisation’s daily operations, impacting the availability of critical assets and data.

Ongoing threat of ransomware

Australian organisations should continue to maintain vigilance to the threat of ransomware. Threat actors believed to be associated with Conti have claimed they will target unspecified critical infrastructure in response to cyber or military actions against Russia. The ACSC has recently updated a profile on Conti’s background, threat activity and mitigation advice. The US Cybersecurity and Infrastructure Security Agency (CISA) alert on Conti ransomware has also been updated to include additional indicators of compromise. Tactics, techniques, and procedures associated with Conti ransomware are included in this advisory

Ongoing state-sponsored targeting of network devices

The ACSC is aware that state-sponsored actors continue to target routers and other network devices. The ACSC has previously released an alert relating to Russian state-sponsored targeting of network devices and advised Australian organisations to secure certain Cisco features to mitigate against this activity. The ACSC encourages organisations to refer to these publications as well as the 2018 US Cybersecurity and Infrastructure Security Agency (CISA) publication Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices and the 2022 US National Security Agency (NSA) publication on Network Infrastructure Security Guidance to secure their networks against this activity.

Exploitation of default multi-factor authentication protocols and known vulnerabilities for network access

The US CISA and Federal Bureau of Investigation have released a joint cybersecurity advisory to warn organisations that default multi-factor authentication (MFA) configuration has been exploited, in combination with known vulnerabilities, to allow malicious cyber actors to obtain access to networks. The joint cybersecurity advisory contains technical details on the exploitation as well as mitigations which can be applied to multi-factor authentication systems.

The ACSC urges all organisations to implement multi-factor authentication, disable unused accounts and to review the tactics, techniques, and procedures, indicators of compromise, and mitigation measures described in the joint cyber security advisory. If configured correctly, multi-factor authentication remains one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.

Possible threats to satellite communication networks

The US CISA and FBI have released a joint cybersecurity advisory relating to possible threats to satellite communication networks. The advisory includes mitigation advice for satellite communication network providers and customers. The ACSC encourages all satellite communication network providers and customers to review the guidance in the joint cybersecurity advisory.

Targeting of the US and international energy sector

The US CISA, FBI and Department of Energy (DOE) have released a joint cybersecurity advisory relating to tactics, techniques, and procedures used to target US and international energy sector organisations between 2011 and 2018. The advisory includes technical details of these intrusion campaigns as well as recommended mitigations for both enterprise and operational technology networks. The ACSC encourages all energy sector organisations to review the guidance in the joint cybersecurity advisory.

Case Study: NotPetya

In 2017, a ransomware campaign known as NotPetya impacted organisations globally. This ransomware was distributed via a malicious software update for legitimate software. Following installation, NotPetya used automated techniques to retrieve legitimate credentials, identify other hosts on the network, and move laterally across a network before encrypting individual files and system partitions on victim hosts.

NotPetya used a range of common Windows utilities and services, as well as exploits for previously patched vulnerabilities, to move laterally across a network. While the NotPetya attack occurred in June 2017, patches for these vulnerabilities had been released in March 2017.

NotPetya was an example of malicious cyber activity in which a lack of patching and continued use of out-dated protocols presented a significant risk to organisational security. Baseline cyber security measures such as the Essential Eight are applicable at any time and will mitigate against a wide range of malicious cyber activity.

ACSC and Partner Reporting

The below collation of ACSC, partner, and industry reporting provides technical details and mitigation measures relevant to a range of malicious activity. Organisations should review these publications for relevance to their own networks and consider implementing relevant mitigations.

Reporting on destructive malware, including WhisperGate, HermeticWiper, IsaacWiper and CaddyWiper

Organisations seeking further information on detecting and mitigating against a range of recently discovered destructive malware should review the following partner and industry publications:

  • WeLiveSecurity: CaddyWiper: New wiper malware discovered in Ukraine
  • CrowdStrike Blog: Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
  • ESET Research: Ukraine hit by destructive attacks before and during the Russian invasion with HermeticWiper and IsaacWiper
  • WeLiveSecurity: IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
  • Palo Alto Networks Unit 42: Russia-Ukraine Crisis: How to Protect Against the Cyber Impact
  • Symantec Threat Intelligence: Ukraine: Disk-wiping Attacks Precede Russian Invasion
  • US CISA: Destructive Malware Targeting Organizations in Ukraine

Reporting on ransomware

Organisations seeking further information on detecting and mitigating against ransomware threats should review the following partner and industry publications:

  • US CISA: Conti Ransomware
  • ACSC: Ransomware Profile: Conti
  • US CISA: 2021 Trends Show Increased Globalized Threat of Ransomware
  • US CISA: How Can I Protect Against Ransomware?

Reporting on Cyclops Blink malware

Organisations seeking further information on the Cyclops Blink malware, which has widely affected network devices, should review the following UK NCSC publications:

  • UK National Cyber Security Centre: New Sandworm malware Cyclops Blink replaces VPNFilter
  • UK National Cyber Security Centre: Cyclops Blink Malware Analysis Report

Reporting on the wider threat environment, a range of recent malicious cyber activity, and relevant security measures

Organisations seeking further information on a range of recent malicious activity, the wider threat environment, and relevant security measures that organisations can take to defend against these threats should refer to the following reporting:

  • US CISA: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
  • US CISA: Strengthening Cybersecurity of SATCOM Network Providers and Customers
  • US CISA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
  • Google Threat Analysis Group: An update on the threat landscape
  • US CISA: Known Exploited Vulnerabilities Catalog
  • US CISA: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
  • US National Security Agency (NSA): Network Infrastructure Security Guidance
  • ACSC: Routers targeted: Cisco Smart Install feature continues to be targeted by Russian state-sponsored actors
  • ACSC: Secure the Cisco IOS and IOS XE Smart Install Feature
  • US CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
  • US CISA: Joint Cybersecurity Advisory: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology
  • US NSA: Joint Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments
  • Microsoft Security Blog: New sophisticated email-based attack from NOBELIUM
  • Microsoft Security Blog: NOBELIUM targeting delegated administrative privileges to facilitate broader attacks.
  • NZ National Cyber Security Centre: General Security Advisory: Understanding and preparing for cyber threats relating to tensions between Russia and Ukraine
  • Canadian Centre for Cyber Security (CCCS): Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity
  • US CISA: CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats
  • UK NCSC: NCSC advises organisations to act following Russia’s further violation of Ukraine’s territorial integrity
  • US CISA: Russia Cyber Threat Overview and Advisories

Tactics, Techniques, and Procedures (TTPs)

In the current threat environment, there is a heightened risk that Australian organisations will be impacted by malicious cyber activity, either directly or through unintended or uncontained impacts. Actors may change their TTPs in response to public reporting and cyber security measures adopted by organisations, and new intrusion sets could be discovered. The following TTPs have been selected due to their common use by a range of actors and to illustrate the nature of threats that organisations may face. Organisations should focus on measures to mitigate against commonly used TTPs, while also referring to those identified in this advisory and linked material that may be relevant to them.

Initial access

Phishing and spear phishing emails containing malicious links or attachments are commonly used to establish initial access. Phishing emails may originate from email addresses designed to impersonate a trusted contact or may be sent from legitimate but compromised email accounts, including as replies to existing email threads. Phishing lures can be complex and tailored to the targeted organisation, and their malicious nature may be obfuscated using tools such as URL-shorteners and typical file types.

A range of malicious cyber actors attain initial access by compromising public-facing services. Malicious cyber activity commonly makes use of known vulnerabilities, for which patches or security measures may exist, to compromise public-facing services and attain initial access.

Malicious actors have also targeted accounts belonging to users on networks, using historically breached passwords or techniques such as brute forcing passwords to attain initial access. Legitimate credentials have been combined with exploitation of vulnerable services to attain initial access or escalated privileges. MFA configurations allowing for device enrolment to inactive accounts have been exploited by actors for initial access.

In some cases, malicious actors have compromised software supply chains to establish access to target organisations.

Persistence

Malicious cyber actors may seek to establish persistence, including for extended periods of time, using native tools and common or custom malware, including malware developed for specific devices. Actors use tools such as scheduled tasks, compromised update mechanisms, and compromised or actor-created accounts (including administrative accounts) to maintain access to victim networks.  MFA configurations which “fail open” can be exploited by actors for persistence.

Discovery

Actors may use dedicated tooling or built-in system utilities to scan internal networks and discover hosts for lateral movement. Actors may conduct internal scanning automatically or manually. Actors may use data stored on compromised hosts to discover information about other hosts or accounts.

Lateral movement

Actors may use legitimate credentials, administrative privileges, and built-in system utilities to conduct lateral movement using only resources which are already present in the victim environment. Actors may also use malware or post-exploitation tools to conduct lateral movement by exploiting vulnerable services or hosts internal to a victim environment.

Impact

Actors may cause an impact to victim organisations by deploying ransomware or disruptive or destructive malware. Disruptive or destructive malware may be disguised and ransomware and present a ransom note despite not having a recovery mechanism.

Mitigation / How do I stay secure?

The ACSC recommends that organisations urgently adopt an enhanced cyber security posture. This should include reviewing and enhancing detection, mitigation, and response measures.

  • Patch applications and devices, particularly internet-facing services. Monitor for relevant vulnerabilities and security patches and consider bringing forward patch timeframes. Review the US CISA catalogue of known exploited vulnerabilities for relevance to your systems.
  • Implement mitigations against phishing and spear phishing attacks. Disable Microsoft Office macros by default and limit used privileges. Ensure that staff report all suspicious emails received, links clicked, or documents opened.
  • Organisations should ensure that logging and detection systems in their environment are fully updated and functioning and apply additional monitoring of their networks where required. Prioritise internet-facing and critical network services and ensure that logs are centrally stored.
  • Review incident response and business continuity plans. Plan responses to network compromise as well as disruptive or destructive activity such as ransomware. Ensure these plans are known to and actionable by staff and are accessible even when systems are down.
  • Organisations should also review the Essential Eight and prioritise remediating any identified gaps in Essential Eight maturity. Following this, organisations should review technical details associated with any specific threats they have identified as relevant and incorporate these into monitoring and response plans.
  • Review the TTPs and IOCs contained in this product and linked reporting to determine if related activity has occurred on your organisation’s network and establish detections on such activity where feasible.

 

Tags:

Leave a Comment

Related posts