Corporate Australia has also experienced several recent high-profile security breaches this year.
The Prime Minister of Australia, Scott Morrison has announced the Government was made aware and responding to a sustained targeting of Australian governments and companies by a sophisticated state-based actor.
According to the Australian Cyber Security Centre (ACSC) the title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.
The ACSC’s Advisory 2020-008 details the tactics, techniques and procedures (TTPs) identified during the ACSC investigation of a cyber campaign targeting Australian networks. These TTPs are captured in the frame of tactics and techniques outlined in the MITRE ATT&CK framework.
During a press conference PM Morrison said, “based on advice provided” by “cyber experts”, Australian organisations are currently being targeted by a sophisticated state-based cyber actor.
“This act is targeting Australian organisations across a range of sectors including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure,” he said.
Research from Exabeam showed corporate Australia has experienced several recent high-profile security breaches. Lion was just hit by a major cyberattack and follows ransomware attacks on BlueScope Steel and Toll Group, and that’s just some of the ones identified.
According to the 2020 State of the Security Operations Centre Report, 82 per cent of organisations globally are entirely confident they can detect everything yet so many are still being breached. Specifically, the data shows that Australian Security Operation Centres appear less effective than global counterparts in nearly all categories, with needed improvements in technology updates and budgeting.
Every other country has a set cadence for training and planning – Australia SOCs lag with inconsistent random scheduling when it comes to educating their teams
Australian SOCs fell behind all other countries in their ability to monitor and review security events, to respond to incidents and auto-remediation
Australia security teams log less than 60 per cent of events, and felt the most pain around lack of visibility, lack of understanding of the network, the inability to find system owners and a large percentage of out-of-date systems
Australia respondents felt they were underfunded across all categories including technology, staff, training, and facilities – plus, one third report struggles with inexperienced staff. About 70 per cent believe investing in automation to save time will improve their SOC’s performance
Gareth Cox is VP of Asia, Pacific and Japan for Exabeam told CIO Tech Asia findings from the organisations 2020 State of the SOC report conducted across corporations in Australia found that there is a need for organisations to up their security game.
“Irrespective of who is behind [June 19th] attacks, we’ve known for some time that there is a skills shortage in security teams, but this is compounded by a lack of regular training and those limited resources using manual, time consuming processes to detect, investigate and respond to threats,” he said. “The cost of the recent attack on Lion is still being felt, and should act as a warning sign to corporate Australia, it’s not possible to simply throw more people at the problem, organisations need to look at how they can automate workflows through technology.”
George Prichici, Director of product management for OPSWAT, a US-based cyber security company focused on protecting critical infrastructure, explained why web shell attacks are becoming popular with malicious actors.
:In general, to run a web shell, you will need to exploit a vulnerability in the system to allow you to run your uploaded file, he said, “I’m able to execute code on the server (RCE) or perform a Local File Inclusion, then web shell or remote shell will be the natural thing to do to pretty much open a backdoor on your server.”
If the web app allows a file upload functionality, with almost no restrictions, then it is almost too easy for malicious actors, he says. “Detecting a web shell using signatures is not trivial and can be quite easily bypassed. At the end of the day, you can repackage it, hide it in some regular accepted files.”
Nicholas Sciberras CTO of Acunetix — a company that specialises in detecting web application vulnerabilities and the attack methods used to exploit them — counsels against relying on detection alone.
“Unprotected file upload functionality is just one of many vulnerabilities that may allow an attacker to upload malicious files to an organisation’s servers, he said. “With targeted attacks, detecting those files can be hit and miss. We know from experience that one of the best mitigation strategies an organisation can use is to detect vulnerabilities and remediate them before they are exploited.”
According to Sciberras identifying vulnerabilities like unrestricted file upload, RFI, SQLi, XSS and other vulnerabilities that facilitate the ability for malicious hackers to upload nefarious web shells to the web servers is critical.
“Closing these holes is relatively straightforward, but if they hadn’t been detected early on, post-incident clean-up and recovery could have been disastrous.”
Scott Hagenus, chief marketing officer of security product distributor — emt Distribution – said it’s easy to blame rising numbers of attacks on the increase in people working from home because of COVID-19.
“Many home workers are using poorly secured systems and there is an ever-present temptation to click on email links and attachments from dubious sources,” he said.
“While that is a definitely a major attack vector – and we’ve seen organisations racing to lock down unprotected endpoints but whatever means possible as a result – it doesn’t tell the whole story when it comes to malware attacks. Importantly, there remain significant vulnerabilities in many organisations’ defences.”
As a result, The Australian Signals Directorate and counterparts at the US National Security Agency (NSA) have for the first time jointly published new guidance on mitigating the threat of web shell malware.
“The advisory is significant. It makes it clear that there has been enough of an uptick in attacks throughout 2019, and of a high enough risk weighting, to warrant the advisory, and to the increasing use of web shells by adversaries to gain reliable access to compromised systems,” said Hagenus.
This is before taking into account any increase in cyberattacks this year,” he said.
“Or the fact that, post COVID-19, it’s become harder to defend against attacks given the dispersed nature of the workforce which both increases an organisations attack surface and stretches their defensive capabilities.”
“The ASD and the NSA suggest a number of measures that organisations can take to detect and protect themselves against web shell malware. Like many government advisories, it can be hard to know where to start,” Hagenus said. “But it really doesn’t have to be difficult if you take a solutions-led approach.”