Australian Prime Minister Scott Morrison addressed the Australian people this morning and announced that Australia is currently facing a cyber-attack. In his statement he specified that the attack “hadn’t just started,” implying that attacks had been taking place for some time now. According to his address, the attacks are impacting both government organizations and Australian businesses. While no specific group or nation was accused of carrying out the attacks, it was said that the attack appeared to be “state sponsored,” indicating that attackers who were acting on behalf of a foreign government were responsible. The Australian Cyber Security Centre published an advisory note which indicated that the campaign primarily utilizes Remote Code Execution (RCE) vulnerabilities. The attackers are utilizing these vulnerabilities to run malicious code to steal information as well upload their own tools to the targeted system. According to the advisory, the attackers have been utilizing a spearphishing campaign to target systems when exploiting publicly-facing infrastructure does not work. Targeted systems include Microsoft Internet Information Services, SharePoint servers, and Citrix gateways and servers.
While no specific threat actor or nation have been accused of being behind the attack, many have begun to speculate that Chinese threat actors are behind the ongoing attack campaign. China and Australia have been at odds on a number of key regional, international, and economic issues in recent years. These tensions have only been compounded given Australia’s close ties with many western nations, and those nations’ increased pressure on China over a number of economic issues and their expansion in the South China Sea. China has been suspected of being behind a number of high-profile attacks on the Australian government, private businesses, and educational institutions in recent years. The advice given by the Australian government are best practices for any organizations around the world, not just those targeted by this current campaign against Australia. Important steps in combatting campaigns such as this include: ensuring that all systems are up-to-date with the latest version and security patches, changing passwords regularly, logging off devices when not in use, implementing multi-factor authentication, and conducting scans at regular intervals to identify malicious software. Utilization of external monitoring software and services, such as SEIM monitoring and Endpoint Detection and Response (EDR), also provide an important layer of protection while also allowing for an extra set of “eyes on the glass” to allow for earlier detection of an intrusion. More information on this incident can be found at:
The advisory from the Australian Cyber Security Centre can be found at: https://theconversation.com/australia-is-under-sustained-cyber-attack-warns-the-government-whats-going-on-and-what-should-businesses-do-141119