[LINK] ASSC Advisory

[Stephen Loosley]

Australian Signals Directorate

ASSC Australian Cyber Security Centre

(The ACSC encourages all eligible organisations to become an ACSC Partner)


Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks

Version W1, last updated: 18 June 2020  https://www.cyber.gov.au/threats/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks

Overview

This advisory details the tactics, techniques and procedures (TTPs) identified during the Australian Cyber Security Centre’s (ACSC) investigation of a cyber campaign targeting Australian networks. These TTPs are captured in the frame of tactics and techniques outlined in the MITRE ATT&CK framework.

Campaign summary

The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.

The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.

When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:

links to credential harvesting websites
emails with links to malicious files, or with the malicious file directly attached
links prompting users to grant Office 365 OAuth tokens to the actor
use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.

In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

Detection and mitigation recommendations

It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.

ACSC recommended prioritised mitigations

During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.

Prompt patching of internet-facing software, operating systems and devices

All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.

Use of multi-factor authentication across all remote access services

Multi-factor authentication should be applied to all internet-accessible remote access services, including:

web and cloud-based email
collaboration platforms
virtual private network connections
remote desktop services.

ACSC recommended additional mitigations

Beyond the ACSC recommended key mitigations above, the ACSC strongly recommends implementing the remainder of the ASD Essential Eight controls.

During investigations, a common issue that reduced the effectiveness and speed of investigative efforts was the lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs. The ACSC strongly recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring.

ACSC recommended detection advice

Where available, campaign activity-specific and practical detection techniques have been included in this advisory. This advisory does not attempt to include detection technique recommendations for all ATT&CK techniques identified. For general detection and mitigation advice, please consult the ‘Mitigations’, ‘Data Sources’ and ‘Detection’ sections on each linked MITRE ATT&CK technique web page.

The ACSC strongly recommends that organisations review and implement the identified TTPs, detection recommendations and indicators in this advisory and associated files to help identify malicious activity related to this campaign.

Indicators of compromise

This advisory contains some indicators in the body of the advisory, however this is not an exhaustive list and are included for illustrative purposes. The full list of indicators of compromise and signatures associated with this campaign are available in the associated indicators released under the 2020-008 identifier.

Incident reporting

If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist at defence.gov.au or calling 1300 CYBER1 (1300 292 371).

Becoming an ACSC Partner

The ACSC encourages all eligible organisations to become an ACSC Partner. As a partner, you will automatically receive threat intelligence, consisting of context-rich, actionable and timely information in a variety of formats, including advisories and automated indicator sharing.

Further information

The table of contents of the complete advisory, including indicators of compromise and code examples, is below. See the PDF or Word versions for full details.

Table of contents
Initial access
Execution
Persistence
Privilege escalation
Defence evasion
Credential access
Discovery
Lateral movement
Collection
Command and control
Exfiltration
Impact
Appendix A – Web shells
Appendix B – HTTPCore malware
Appendix C – Malicious Office macros
Appendix D – PowerShell Reverse Shell
Appendix E – LibraryPSE – PowerShell Empire
Appendix F – HTTPotato

ACSC-Advisory-2020-008-Copy-Paste-Compromises.docx
ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
ACSC-Advisory-2020-008-Copy-Paste-Compromises-Indicators-of-Compromise.csv
ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt