Australian Prime Minister Scott Morrison, in an urgent press conference held in Canberra, briefed about sustained cyberattacks carried out by a sophisticated state-sponsored actor. These cyberattacks are not only targeted toward government organizations but also toward known corporate entities in the country.
The Australian government is not making any public attribution in regards of the state-actor involved, but investigations confirm that there are not a very large number of state-based actors that can engage in this type of activity.
What the PM Says…
After a detailed briefing received from the Australian Cyber Security Center (ACSC), Prime Minister Morrison told the media, “Australian organizations are currently being targeted by a sophisticated state-based cyber actor. Organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, central service providers, and operators of other critical infrastructure, are all being targeted.”
When quizzed about China’s involvement in this series of sustained cyberattacks, Morrison quickly retorted, “The Australian government is not making any public attribution on these matters. What I simply can confirm is there are not a very large number of state-based actors that can engage in this type of activity and it is clearly based on the advice that we have received (from ACSC) that this has been done by a state-based actor with very significant capabilities.”
Australian Cyber Security Center Findings
Based on the intensive investigation carried out by the ACSC, an advisory has been released by them for all businesses and organizations in Australia against the ongoing campaign. The Advisory 2020-008 titled “Copy-paste compromises” derives its name from the state actor’s heavy use of proof-of-concept (POC) exploit code, web shells, and other tools copied from the open-source.
A few of the logged vulnerabilities exploited by the state-actor are:
- Vulnerabilities in the unpatched versions of Telerik UI
- Deserialization vulnerability in Microsoft Internet Information Services (IIS)
- A 2019 SharePoint vulnerability
- The 2019 Citrix vulnerability
Advise Given
Although there are no specifically applicable mitigation measures to these sustained cyberattacks, yet, ACSC suggested these two key steps for reducing the risk of compromise:
- Immediately apply the latest updates and patches available to all software, operating systems, and devices connected to the internet.
- Employ multi-factor (MFA) authentication for all services accessed remotely (like web and cloud-based email, collaboration platforms, VPN connections, RDP services).
