The Australian government recently announced that the country has been targeted by a large-scale cyberattack seeking to disrupt the work of the government as well as the operations of essential services providers.
Addressing the nation last Friday, Australian Prime Minister Scott Morrison said, "We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting."
While the Prime Minister did not point the finger at any particular country that might have been behind the cyberattack, he said the attacks were designed to bring the operation of the government as a whole to a halt, as well as to cripple the work of health, education and other essential services providers.
CyberSecurity ASEAN reached out to several cybersecurity companies in the region to get their views on the situation.
According to Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group "Ignoring speculation on the origins of the attack, its usage of multiple attack vectors makes it more sophisticated than you might experience with a standard phishing or ransomware attack."
The Australian Cyber Security Centre has identified the primary attack mode as attempted exploitation of the Telerik UI ASP.Net vulnerability covered in CVE-2019-18935 which if successful provides the ability to remotely execute code on the now compromised web server.
Tim added that if this attack mode isn't successful, the attacker may attempt to exploit remote execution vulnerabilities in IIS, SharePoint and Citrix ADC and Citrix Gateway. Each attack mode uses available proof-of-concept exploit code for the relevant target software, and the attacker is reported to have an ability to identify orphaned, development and test instances of the vulnerable software. Should these primary modes yield no results, the attackers then move on to a more traditional spear-phishing attack.
From a defender's perspective, Tim commented that having an attacker that can identify softer targets such as those in public-facing development and test systems should be particularly concerning as these systems are often deployed outside of normal IT constraints and protections. They are also likely not subject to production monitoring and may not have a rigorous patch management program in place.
"An attack such as we're seeing illustrates that attackers can discover weaknesses in organisations of all sizes. Having a comprehensive inventory of software assets is a cornerstone of most patch management strategies, but if that inventory doesn't include all assets, including test systems, how they might be connected to a public network or if there are any latent vulnerabilities, then these coverage gaps can be exploited – it just takes additional sophistication."
Meanwhile, Ghian Oberholzer, Regional Vice President of TechOps – APAC, Claroty commented, "The most alarming element of the multi-faceted cyber-attack launched on Australian organisations is the risk it poses to Australia's critical infrastructure - the very services on which society depends including our water supply, power grids and telecommunications systems."
Ghian said cyber-attacks on businesses are damaging enough. Still, the impacts of a successful attack on any of these critical services could be catastrophic, such as shutting down the electricity grid. Critical infrastructure often eludes the public's attention as a major source of cyber risk, but it remains highly susceptible to targeted attacks, as past experience shows.
Ghian also pointed out other cyberattacks. This includes Israel's wastewater treatment plants that suffered a series of coordinated attacks. Fortunately, there was no significant damage. Also, in 2015 an attack on Ukraine's power grid left 230,000 people without power for up to six hours.
"The Prime Minister's announcement illustrates the need for sophisticated cybersecurity practices, policies, and technology to protect our critical infrastructure. Australia cannot afford to suffer catastrophic damage to its critical infrastructure at the best of times, and thanks to COVID-19, these are far from the best of times."