Australia’s Cyber Security Centre explains the techniques used by hackers
Australian Cyber Security Centre warns citizens of ‘crypto-jacking’ malware
The Australian Cyber Security Centre released an advisory last week explaining the tactics, techniques and procedures (TTP) identified during the Centre’s investigation of a cyber campaign against Australian networks.
It stated that the government recognised the coordinated cyber- targeting against Australian institutions and was currently working towards a response to the same. The 48-page-long report outlined the various vulnerabilities being exploited by the “group of state actors” and cautioned the Australian public about crypto-jacking malware attacks.
“The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor,” the report stated.
Four major vulnerabilities were highlighted in the report — the use of remote code execution vulnerability in unpatched versions of Telerik UI, a vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.
Instances of cyber-criminals using spear-phishing techniques have also been recorded.
“Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials,” the report explained.
The critical vulnerability in Telerik UI, including CVE-2019-18935, is the same vulnerability that was recently leveraged by the Blue Mockingbird malware gang to infect thousands of systems with XMRRig, a Monero mining software. Although the report’s elaboration on the CVE-2019-18935 vulnerability displays similarities to the modus operandi of the Blue Mockingbird attack, it cannot be considered as an indication that such a gang participated in the organised attacks.
More than 10 Chinese hacker groups with alleged connections to the Chinese Government have PlugX malware, one of the malware identified in the Australian Government’s report, in their arsenal.
Rising diplomatic tensions between the two countries regarding the investigation into the origin of the Coronavirus have led some Australian officials to suggest that China could be behind the targeted cyber-attack.
“We have some of the best agencies in the world … working on this and that means that they are putting all of their efforts into thwarting these attempts,” Australian Prime Minister Scott Morrison recently stated.