Adopting an enhanced cyber security posture

There are no specific or credible cyber threats to Australian organisations currently.

Context

Following the attack on Ukraine, there is a heightened cyber threat environment globally, and the risk of cyber-attacks on Australian networks, either directly or inadvertently, has increased. While the ACSC has no specific intelligence relating to a cyber-attack on Australia, this could change quickly.

It is critical that Australian organisations are alert to these threats and take steps to adopt an enhanced cyber security posture and increase monitoring for threats. These actions will help to reduce the impacts to Australian organisations of any cyber-attacks.

The ACSC released the alert: Australian organisations encouraged to urgently adopt an enhanced cyber security posture. This Technical Advisory provides additional information to support entities to take appropriate actions to secure their systems and networks.

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a publicly accessible knowledge base of adversary tactics and techniques based on real-world observations.

This advisory draws on information derived from ACSC partner agencies and industry sources.

Destructive malware targeting organisations in Ukraine

The ACSC is aware of reporting that threat actors have deployed destructive malware to target organisations in Ukraine. This advisory provides additional indicators of compromise (IOCs) to assist organisaftions to detect the WhisperGate, HermeticWiper, IsaacWiper and CaddyWiper destructive malware.

Destructive malware can present a direct threat to an organisation’s daily operations, impacting the availability of critical assets and data.

Ongoing threat of ransomware

Australian organisations should continue to maintain vigilance to the threat of ransomware. Threat actors believed to be associated with Conti have claimed they will target unspecified critical infrastructure in response to cyber or military actions against Russia. The ACSC has recently updated a profile on Conti’s background, threat activity and mitigation advice. The US Cybersecurity and Infrastructure Security Agency (CISA) alert on Conti ransomware has also been updated to include additional indicators of compromise. Tactics, techniques, and procedures associated with Conti ransomware are included in this advisory

Ongoing state-sponsored targeting of network devices

The ACSC is aware that state-sponsored actors continue to target routers and other network devices. The ACSC has previously released an alert relating to Russian state-sponsored targeting of network devices and advised Australian organisations to secure certain Cisco features to mitigate against this activity. The ACSC encourages organisations to refer to these publications as well as the 2018 US Cybersecurity and Infrastructure Security Agency (CISA) publication Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices and the 2022 US National Security Agency (NSA) publication on Network Infrastructure Security Guidance to secure their networks against this activity.

Exploitation of default multi-factor authentication protocols and known vulnerabilities for network access

The US CISA and Federal Bureau of Investigation have released a joint cybersecurity advisory to warn organisations that default multi-factor authentication (MFA) configuration has been exploited, in combination with known vulnerabilities, to allow malicious cyber actors to obtain access to networks. The joint cybersecurity advisory contains technical details on the exploitation as well as mitigations which can be applied to multi-factor authentication systems.

The ACSC urges all organisations to implement multi-factor authentication, disable unused accounts and to review the tactics, techniques, and procedures, indicators of compromise, and mitigation measures described in the joint cyber security advisory. If configured correctly, multi-factor authentication remains one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.

Possible threats to satellite communication networks

The US CISA and FBI have released a joint cybersecurity advisory relating to possible threats to satellite communication networks. The advisory includes mitigation advice for satellite communication network providers and customers. The ACSC encourages all satellite communication network providers and customers to review the guidance in the joint cybersecurity advisory and the NSA publication on protecting very small aperture terminal (VSAT) communications.

Organisations should ensure that their information is encrypted prior to transmission, secure SATCOM products according to relevant best practices, and ensure appropriate network segmentation is in place. Organisations which rely on SATCOM for connectivity or critical functions should consider their business continuity plans if their SATCOM services are unavailable

Targeting of the US and international energy sector

The US CISA, FBI, and Department of Energy (DOE) have released a joint cybersecurity advisory relating to tactics, techniques, and procedures used to target US and international energy sector organisations between 2011 and 2018. The advisory includes technical details of these intrusion campaigns as well as recommended mitigations for both enterprise and operational technology networks. The ACSC encourages all energy sector organisations to review the guidance in the joint cybersecurity advisory.

The US CISA, DOE, NSA, and FBI have also released a joint cybersecurity advisory warning that malicious cyber actors have the capability to target specific operational technology devices. Organisations which utilise operational technology devices, particularly in the energy sector, should review the advisory and consider implementing the detection, mitigation, and resilience measures outlined to their operational technology environments.

Energy sector organisations should also review industry reporting on new destructive malware used to target an energy sector organisation as recently as April 2022.

Malicious activity occurring against internet-connected uninterruptible power supply devices

The US CISA and Department of Energy (DOE) have warned that malicious cyber actors have gained access to internet-connected uninterruptible power supply (UPS) devices, often through default passwords. Organisations using these and similar devices should ensure that device management interfaces are not accessible from the internet and that default passwords are changed.

Identifying cyber supply chain risks

The ACSC has developed guidance to assist organisations in identifying risks associated with their use of suppliers, manufacturers, distributors, and retailers associated with products and services used by the organisation. Organisations should review risks posed by foreign control or interference, poor security practices, lack of transparency, and access and privileges as they relate to businesses in the cyber supply chain. For further information, organisations should review ACSC publications Identifying Cyber Supply Chain Risks and Cyber Supply Chain Risk Management.

Tactics, Techniques, and Procedures (TTPs)

In the current threat environment, there is a heightened risk that Australian organisations will be impacted by malicious cyber activity, either directly or through unintended or uncontained impacts. Actors may change their TTPs in response to public reporting and cyber security measures adopted by organisations, and new intrusion sets could be discovered. The following TTPs have been selected due to their common use by a range of actors and to illustrate the nature of threats that organisations may face. Organisations should focus on measures to mitigate against commonly used TTPs, while also referring to those identified in this advisory and linked material that may be relevant to them.

Initial access

Phishing and spear phishing emails containing malicious links or attachments are commonly used to establish initial access. Phishing emails may originate from email addresses designed to impersonate a trusted contact or may be sent from legitimate but compromised email accounts, including as replies to existing email threads. Phishing lures can be complex and tailored to the targeted organisation, and their malicious nature may be obfuscated using tools such as URL-shorteners and typical file types.

A range of malicious cyber actors attain initial access by compromising public-facing services. Malicious cyber activity commonly makes use of known vulnerabilities, for which patches or security measures may exist, to compromise public-facing services and attain initial access.

Malicious actors have also targeted accounts belonging to users on networks, using historically breached passwords or techniques such as brute forcing passwords to attain initial access. Legitimate credentials have been combined with exploitation of vulnerable services to attain initial access or escalated privileges. MFA configurations allowing for device enrolment to inactive accounts have been exploited by actors for initial access.

In some cases, malicious actors have compromised software supply chains to establish access to target organisations.

Persistence

Malicious cyber actors may seek to establish persistence, including for extended periods of time, using native tools and common or custom malware, including malware developed for specific devices. Actors use tools such as scheduled tasks, compromised update mechanisms, and compromised or actor-created accounts (including administrative accounts) to maintain access to victim networks.  MFA configurations which “fail open” can be exploited by actors for persistence.

Discovery

Actors may use dedicated tooling or built-in system utilities to scan internal networks and discover hosts for lateral movement. Actors may conduct internal scanning automatically or manually. Actors may use data stored on compromised hosts to discover information about other hosts or accounts.

Lateral movement

Actors may use legitimate credentials, administrative privileges, and built-in system utilities to conduct lateral movement using only resources which are already present in the victim environment. Actors may also use malware or post-exploitation tools to conduct lateral movement by exploiting vulnerable services or hosts internal to a victim environment.

Impact

Actors may cause an impact to victim organisations by deploying ransomware or disruptive or destructive malware. Disruptive or destructive malware may be disguised and ransomware and present a ransom note despite not having a recovery mechanism.

Mitigation / How do I stay secure?

The ACSC recommends that organisations urgently adopt an enhanced cyber security posture. This should include reviewing and enhancing detection, mitigation, and response measures.

  • Patch applications and devices, particularly internet-facing services. Monitor for relevant vulnerabilities and security patches and consider bringing forward patch timeframes. Review the US CISA catalogue of known exploited vulnerabilities for relevance to your systems.
  • Implement mitigations against phishing and spear phishing attacks. Disable Microsoft Office macros by default and limit used privileges. Ensure that staff report all suspicious emails received, links clicked, or documents opened.
  • Organisations should ensure that logging and detection systems in their environment are fully updated and functioning and apply additional monitoring of their networks where required. Prioritise internet-facing and critical network services and ensure that logs are centrally stored.
  • Review incident response and business continuity plans. Plan responses to network compromise as well as disruptive or destructive activity such as ransomware. Ensure these plans are known to and actionable by staff and are accessible even when systems are down.
  • Organisations should also review the Essential Eight and prioritise remediating any identified gaps in Essential Eight maturity. Following this, organisations should review technical details associated with any specific threats they have identified as relevant and incorporate these into monitoring and response plans.
  • Review the TTPs and IOCs contained in this product and linked reporting to determine if related activity has occurred on your organisation’s network and establish detections on such activity where feasible.

 

Tags:

Leave a Comment

Related posts