The discussion paper outlines potential measures as part of a possible new regulatory framework.
Context
There are no specific or credible cyber threats to Australian organisations currently.
Following the attack of Ukraine, there is heightened cyber risk globally, and the threat of cyber-attacks on Australian networks, either directly or inadvertently, has increased. While the ACSC has no specific intelligence relating to a cyber-attack on Australia, this could change quickly.
It is critical that Australian organisations are alert to these threats and take steps to adopt an enhanced cybersecurity posture and increase monitoring for threats. These actions will help to reduce the impacts to Australian organisations of any cyber-attacks.
On 23 February 2022, the ACSC released the alert: Australian organisations encouraged to urgently adopt an enhanced cyber security posture. This Technical Advisory provides additional information to support entities to take appropriate actions to secure their systems and networks.
This advisory has been compiled with respect to the MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
This advisory draws on information derived from ACSC partner agencies and industry sources.
Destructive malware targeting organisations in Ukraine
The ACSC is aware of reporting that threat actors have deployed destructive malware to target organisations in Ukraine. This advisory provides additional indicators of compromise (IOCs) to assist organisations to detect the WhisperGate, HermeticWiper, and IsaacWiper destructive malware.
Destructive malware can present a direct threat to an organisation’s daily operations, impacting the availability of critical assets and data.
Ongoing threat of ransomware
Australian organisations should continue to maintain vigilance to the threat of ransomware. Threat actors believed to be associated with Conti have claimed they will target unspecified critical infrastructure in response to cyber or military actions against Russia. The ACSC has published a profile on Conti’s background, threat activity, and mitigation advice. Tactics, techniques, and procedures associated with Conti ransomware is included in this advisory.
Ongoing Russian state-sponsored targeting of network devices
The ACSC is aware that state-sponsored actors continue to target routers and other network devices. The ACSC has previously released an alert relating to Russian state-sponsored targeting of network devices and advised Australian organisations to secure certain Cisco features to mitigate against this activity. The ACSC encourages organisations to refer to these publications as well as the 2018 US Cybersecurity and Infrastructure Security Agency (CISA) publication Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices and the 2022 US National Security Agency (NSA) publication on Network Infrastructure Security Guidance to secure their networks against this activity.
Tactics, Techniques, and Procedures (TTPs)
Initial access:
Spear phishing emails may be sent with malicious HMTL attachments. The lures of the spear phishing emails can be tailored to the targeted organisation. HTML files (.html) can contain an obfuscated JavaScript payload, which seeks to mount an .ISO file, much like an external drive. A .lnk file executes a hidden .dll file, which in turn executes further payloads such as Cobalt Strike.
Threat actors use brute force techniques to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks.
Threat actors send spear phishing emails with links to malicious domains and use publicly available URL shortening services to mask the link. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link.
Threat actors use harvested credentials in conjunction with known vulnerabilities—for example, CVE-2020-0688 and CVE-2020-17144—on public-facing applications, such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on exposed applications. In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks.
Actors have gained initial access to victim organisations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.
Persistence:
In multiple instances, threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, they have also used “living off the land” techniques.
Malicious actors have moved laterally through networks, compromised user and administrator accounts, hosts and servers including Domain Controllers. The actors have downloaded additional malware and continued to communicate with infrastructure that is known to be compromised or co-opted. The actors have scheduled and executed malicious PowerShell scripts and deployed malicious .dll files and other tools, including Cobalt Strike Beacons, to establish persistence.
The actors have used a Powershell® cmdlet (New-ManagementRoleAssignment) to grant the ‘ApplicationImpersonation’ role to a compromised account.
Privilege Escalation:
Malicious actors have targeted and compromised privileged Cloud Administrator’s systems and accounts. Subsequently, actors have attempted to generate various Azure Active Directory (AAD) tokens, create users and grate roles to users and applications to maintain persistence.
Credential Access:
Malicious actors can operate a Kubernetes cluster, which allows them to conduct distributed and large-scale targeting using password spray and password guessing.
Lateral Movement:
After some victims reset passwords for individually compromised accounts, the actors have pivoted to other accounts, as needed, to maintain access.
Collection:
Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages, user profiles, and user emails.
Mitigation / How do I stay secure?
The ACSC recommends that organisations urgently adopt an enhanced cyber security posture. This should include reviewing and enhancing detection, mitigation, and response measures.
Organisations should ensure that logging and detection systems in their environment are fully updated and functioning and apply additional monitoring of their networks where required.
Review the TTPs contained in this product to determine if related activity has occurred on your organisation’s network. The ACSC recommends organisations focus on monitoring for:
- AD configuration changes.
- Abuse of delegated privileges and service principles in Azure.
- Active Directory Federation Services (ADFS) changes.
- Consider conditional access policies to prevent login events from unusual locations, including TOR.
