AusCERT commentary "major cyber attack on Australian governments and business"

AusCERT commentary "major cyber attack on Australian governments and business"

Friday 19 June 2020
11.45am AEST

This morning Prime Minister Scott Morrison and Minister for Defence Linda Reynolds announced that Australian organisations, including governments and businesses, are currently being targeted by a sophisticated foreign “state-based” actor. [1]

The Prime Minister says there does not appear to have been any large scale breaches of people’s personal information but described the attacks as malicious. 

“It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.”

As an initial step, we encourage everyone to follow the Government’s latest advisory from the ACSC and ASD. [2] 

Echoing the words of the Minister for Defence Linda Reynolds, we recommend members promptly patch internet-facing software, devices and operating systems and to implement multifactor authentication across all remote services. [2]

In addition to the above, this most recent advisory from the ACSC has identified that threat actors are using exploits that are publicly known to have patches or mitigations available.The following vulnerabilities CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access. 

AusCERT strongly encourages members to ensure that all Microsoft Sharepoint, Citrix ADC, Citrix Gateway and Telerik UI are kept up to date.

Members, this is the time to review the vectors of vulnerability and see if any indicators of compromise can be found attempting to access your network or has left traces of their activity within your networks.  

After the IoCs have been verified not to have affected your network, it will be beneficial to then review and apply ASD’s Essential 8 where applicable. [3]

With respect to the IoCs shared on [2], our team has taken the steps to consume this into our MISP instance and are happy to coordinate the sharing of relevant information with our members. As always, members are welcome to contact us for any further information and assistance via auscert@auscert.org.au. 

Last but not least, AusCERT is working with our international counterparts in cyber security to handle the indicators of compromise (IoC).

[1] https://www.abc.net.au/news/2020-06-19/foreign-cyber-hack-targets-australian-government-and-business/12372470

[2] https://www.cyber.gov.au/news/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks

[3] https://www.cyber.gov.au/publications/essential-eight-explained

Additional references:

Recent ACSC Advisories via https://www.cyber.gov.au/

• Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks (18 June 2020)
• Advisory 2020-006: Active exploitation of vulnerability in Microsoft Internet Information Services last updated 22nd May 2020
• Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors last updated 22nd may 2020 
  

Recent NIST Advisories via https://www.nist.gov/

• https://nvd.nist.gov/vuln/detail/CVE-2019-18935
• https://nvd.nist.gov/vuln/detail/CVE-2019-19781
• https://nvd.nist.gov/vuln/detail/CVE-2019-0604

Our own guidance on consuming YARA rules

• https://www.auscert.org.au/blog/2020-06-19-how-to-use-yara-rules-copy-paste-compromises-advisory