Scott Morrison’s Cyber Attack News – What Do You Need To Do?

We wanted to provide some information to our clients about the announcement from Prime Minister Scott Morrison on Friday and the associated advisory from the Australian Cyber Security Centre relating to Cyber Security and recent attacks. 
 
While the press release itself did not have a lot of substance, the advisory from the ACSC and associated documents have a lot of technical information that many people may find confusing. For that reason, we would like to break it down in plain English. The most important part to take from the Prime Minister’s press conference is:
 
 
“The purpose of raising this matter here today is to simply raise awareness of these specific risks. They are not new risks but they are specific risks and the targeted activities. And to advise you how Australians, and particularly these organisations, can take action to protect themselves.”
 

What Happened?

There was not a single incident as many media outlets began reporting on Friday morning. The ACSC identified tactics, techniques and procedures used during an investigation into hacking attempts against Australian networks and the government believes it was a “state-based cyber actor”. These attacks have been increasing over recent months, which led to the announcement.
 
It is important to note, that attacks on anything online is an ongoing occurrence. Anything connected to the internet is constantly being scanned, to identify what is online and vulnerable. It takes minutes to scan the entire internet and with sites like Shodan available, that data is freely available to anyone that is interested.
 
The ACSC titled these attacks as “copy-paste compromises”. The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code. 
 

What Does This Mean?

If a problem is found inside the software that runs something online, like a website, email server, etc, programming code to exploit that problem is created as a “proof of concept”. This is submitted to the organisation responsible for the platform, so they can resolve the issue. This becomes known as a vulnerability and  once reviewed by the vendor, a patch, or software update, will be released to fix the problem. Normally the proof of concept code remains a secret until the patch has been released, but sometimes they leak online before the organisation has had a chance to release a patch. 
 
In these attacks the government reported on, this proof of concept code was used almost exclusively, meaning that they were “copying and pasting” the proof of concept code and targeting Australian businesses.
 
The state-based actor component, suggests a foreign nation was supporting these activities and providing the resources needed to do this at scale. 
 
The ACSC goes on to explain that when the attackers were not successful with this proof of concept, they used phishing techniques to try and gain access to the networks. These are all things you would have seen over the years, such as emails with malicious links or files, fake emails to trick users in to handing over credentials, etc. Once inside the network, they could then continue to look for vulnerable platforms and collect additional information to conduct further attacks and collected intellectual property.
 

What Do I Need To Do?

As previously mentioned, these techniques are unfortunately not new. These types of attacks happen globally, across all sectors and is something that needs to be planned for. Specific targeting against Australian sectors from a foreign nation may be new, however it should be assumed that these types of things are always going on, with the most common outcome being to make money.
 
The ACSC reported that:

“During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.”
 
Those two mitigations were:
 
1. Prompt patching of internet-facing software, operating systems and devices.
2. Multi-Factor authentication across all remote access services.
 
So where do you stand on these? 
 
Patching
RODIN manages the patching of your server and workstation devices and we identify problem devices and report these two you in our monthly reports. But what other internet facing software do you have that RODIN may not be responsible for?
    i) Your website. Most companies have one, and it is very much “internet facing”. As we pointed out in May, we have seen an increase in websites being attacked, again through vulnerabilities and generally because they are not being kept up to date. You need to speak to your web developer and ensure there is a process for your website being updated. If you do not know who your web developer is, then please contact us and we can assist.
    ii) Your line of business software. Is the software you use within your business available for remote access? Perhaps through a web browser, or mobile phone? Then it is likely public facing. If you own servers that run this software, then you need to ensure that this software is running the latest updates from the vendor. Your vendor should advise you of available updates and who’s responsibility it is to install (they may auto-update), and RODIN can assist if required to ensure they are installed. If your server is “cloud hosted”, then patches are generally the responsibility of the software vendor, and you only need to ensure your accounts are kept secure (see Multi-Factor Authentication).
 
Multi-Factor Authentication
We have been a bit of a broken record about MFA for a while now, as it is a must to ensure your accounts remain secure. What is it? Otherwise known as two-factor authentication, it is the concept of having another factor, when typing in your username and password, to confirm that it is actually you using those credentials. Your internet banking has been protecting you in this way for years, for example sending a message to your phone with a code, or having software like Google Authenticator installed with a rotating 6 digit code you need to enter. More modern approaches simply send a notification to your phone that you need to ‘Approve’ to confirm it is you. This mitigation protects your credentials, because if they are guessed, or if you are scammed into giving your credentials out (through a very legitimate looking fake website), they are useless without the ‘additional factor’. If you don’t have multi-factor authentication enabled on your accounts while you read this, you need to get them implemented immediately. Please reach out to your account manager to discuss different options available.
 
 
While these two items have been called out in this report, there are many others that are recommended. Cyber Security is all about layers, with the more layers being applied, the more secure you come. Those layers, will become a mix of enforcing security controls within technology, having policies and procedures for the business to work against and appropriate insurances. One item doesn’t negate the other, meaning all the policies in the world won’t make you secure if you have no controls in place to protect your systems and users.
 
There are multiple frameworks available to increase your businesses cyber-security posture, such as the ACSC’s Essential Eight, the Center for Internet Security (CIS) Controls, or the National Insititue of Standards and Technology (NIST) Framework. While each has their own pros and cons, they contain levels that you can work towards to secure your environments. We can assist by completing a risk assessment in line with these frameworks to create a list of action items to work towards.
 
 
Never assume your security is sufficient. If you are unsure where you stand on any of these items, please reach out to a trusted Managed Services Provider like RODIN to book time and review what areas of your environment can be made more secure.