Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'

Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”

Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.

But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.

Nor did he detail the impact of the attack, saying only that he has not received advice that it has resulted in significant breaches of personal information. He also said the attack is not entirely new and that similar attacks are ongoing and to be expected. He did not detail any new peak in activity or incident that made announcing the news today an imperative.

Australia’s cyber-defence advice agency, the Australian Cyber Security Centre (ACSC), has published an advisory titled “Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks,” that offers a few more details.

Among that document’s observations is “during its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.”

Also revealed is that the attack started with “… number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI.”

“Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.”

The ACSC said attacks on public-facing infrastructure did not succeed so the attacker then moved to spearphishing and gained access to some systems.

“In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers,” the advisory says. “Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.”

The ACSC’s advice in the wake of its investigation is to patch internet-facing everything, adopt MFA for email, remote desktops, VPNs and collaboration platforms, follow previous Australian government security advice and enable verbose logging to help triage future attacks.

Journalists in the PM’s press conference immediately asked if China was a suspect, as the nation recently took offence at Australia’s call for an international inquiry into the source of the COVID-19 pandemic and appears to have retaliated with new trade disputes and advice that its citizens should not visit Australia as tourists or students. Morrison stonewalled when asked if China is the actor behind these attacks. ®