APT Targeting Australian Interests

THE THREAT

On Thursday June 18th, 2020, the Australian Cyber Security Center (ACSC) released a report related to ongoing attacks targeting government entities and private organizations located in Australia [1]. The attacks observed make heavy use of publicly available tools and exploits; proof-of-concept exploit code and web shells. The goal of this campaign is not clear at this time, but there are no indications of ransomware or destructive malware based on the contents of the report.

ACSC states this campaign is likely being carried out by a Nation State APT group but does not attempt to attribute the attacks to any specific nation state-group. Organizations with a presence in Australia should be on high alert for unusual activity and phishing emails.

What we’re doing about it

• eSentire has analyzed the report and assessed the detection methods in place prior to the release of the ACSC report:
  • esNETWORK rules are in place to detect exploitation of CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604
  • esENDPOINT rules are in place for exploitation of CVE-2019-18935
  • BlueSteel via esENDPOINT performs advanced detection against the PowerShell techniques identified in this campaign
  • esLOG contains detections for the exploitation of CVE-2019-19781
  • MVS (formerly esRECON) is actively using a local plugin to identify the vulnerability CVE-2019-18935
  • MVS (formerly esRECON) is actively using plugins to identify the vulnerabilities CVE-2019-19781 and CVE-2019-0604
• Known Indicators of Compromise (IoCs) relating to these attacks are being tracked and related IP addresses have been added to the eSentire Global Blacklist
• Additional detection methods to identify the specific tools and techniques used in this campaign are under evaluation

What you should do about it

• Employ Multi-Factor Authentication (MFA) for email and externally facing services
• Ensure that externally facing systems are up to date on security patches
• Keep employees up to date on recent email-based threats
• For additional recommendations, please see the ACSC report

Additional information

In order to gain initial access into organizations, threat actors attempt to exploit four separate vulnerabilities, CVE-2019-18935 (Telerik), CVE-2019-19781 (Citrix), CVE-2019-0604 (Sharepoint) and the exploitation of VIEWSTATE handling in Microsoft IIS Servers. If these systems are not present or are up to date on security patches, the threat actors shift to using spear phishing emails for initial access.

Once initial access is gained, the threat actors deploy additional tools for persistence on and interaction with victim networks. In order to minimize the likelihood of detection, the threat actors employed stolen credentials for persistence.

Details relating to this campaign are still limited and additional details are expected in the near future.

For additional details on the exploited Citrix vulnerability CVE-2019-19781, see the eSentire advisory Critical Update To Citrix Vulnerability Exploited

For additional details on the exploited Telerik vulnerability CVE-2019-18935, see the eSentire advisory Active Exploitation of CVE-2019-18935

References:

[1] https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf