As we prepare ourselves to safeguard against the sustained targeting of Australian governments and companies by a sophisticated state-based actor, it is important that we do include suppliers in the scope of protection.
While it is important to understand the nature of attacks, it is equally important to identify what is the weakest path from where an attacker can get access to the system, and sometimes it can be your suppliers.
Our recent study on Digital Transformation and Cyber Risk suggests that Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT; and many organizations do not have a third-party cyber risk management program. Sixty-three percent of respondents say their organizations have difficulty in ensuring a secure cloud environment and 54% of IT security professionals say avoiding security exploits is a challenge. Additionally, 56% of C-level executives say their organizations find it a challenge to ensure third parties have policies and practices that ensure the security of their information.
Thus, it is important that we identify key suppliers who have access to our information systems. For example, if you are a financial institution, then APRA CPS234-relevant suppliers should be included as part of the scope. Apart from the recommendation of ACSC, organizations need to:
- Proactively reach out to their third parties and query them about their preparedness to identify and respond to these attacks.
- Look at their third-party control responses and push for risk mitigation especially. The below list of sub-controls in our assessment have the potential to prevent, detect, or respond to the types of techniques these state-based attackers are using.
CyberGRX customers can quickly check their third party’s response against above identified controls by going through the residual risk section. Selecting controls from the desired metrics and then benchmarking against its own controls or industry benchmark (i.e. GRX exchange benchmark). Refer below on the quick snapshot.
Background on Cyber Security Attacks
We have learned that state-based actor(s) are heavily using of proof-of-concept exploit code, web shells and other tools copied almost identically from open source. The focus has been on the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialization vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.
The actor is conducting regular reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.
Apart from that as per ACSC, the actor is also utilizing various spear-phishing techniques such as prompting users to click on:
- Links to credential harvesting websites
- Links to malicious files, or with the malicious file directly attached through emails
- Links prompting users to grant Office 365 OAuth tokens to the actor
- Email tracking services to identify the email opening and lure click-through events
When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor.
Once initial access is achieved, the actor utilized a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.