State Based Cyber Security Attack Targeting Australia

If you’ve been watching the news this morning (19/06/2020) or have been on youtube, you are likely to have come across a statement from the Australian Prime Minister Scott Morrison briefing the public with “Breaking News”.  I will be honest, my impression of the briefing came across as very vague and it seemed as though Morrsion was reading directly from a brief/email which he didn’t fully understand. This assumption is largely based on the terms he was using to explain the attack, specifically “state-based” and “copy-paste compromises”, I feel as though there needs to be more explanation. Doing a quick online search I found an article that might explain things more clearly to developers/software engineers and thought it might be useful to breakdown a segment of this article (https://securitybrief.com.au/story/state-based-cyber-attack-targeting-australian-government-and-businesses) on securitybreif.com.au to explain things more clearly.

Cyber Security Attack - What Happened?

As outlined by the Australian Cyber Security Centre (ACSC) states, “The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.”

The ACSC suggests that the attacks are ‘copy-paste compromises’, which are attacks leveraging proof-of-concept exploit code, web shells, and other tools that are almost identical to open source tools – hence the term ‘copy-paste’.

The exploits relate to Telerik UI, Microsoft Internet Information Services, SharePoint, and Citrix. All exploits were publicly disclosed and have patches or fixes available.

The ACSC states, “The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”

As speculation about who is behind the attacks inevitably comes up, Morrison says the Government is not making any public attribution statements, however, it may be the work of a state-based threat actor.

The Cyber Security Attack Details

To explain what all these terms mean and my interpretation of the events, I will break down what happened in the cyber security attack aforementioned above.
However I will skip past the explanation of the “state-based actor” until the end.

Copy-Paste Compromises

Copy-Paste exploits are attacks the will leverage ‘proof-of-concept exploit code’, ‘web shells’, and other tools that are almost identical to open source tools – hence the term ‘copy-paste’.

Proof Of Concept Exploit Code is open-source or freely available code that is allowed to be copy, pasted and/or modified in your own development projects or ‘hacks’. i.e. This is code posted on public forums which speeds up the process of creating websites and games, however this can also be viruses/malware/other code that allows malicious users to try and use this in emails or on websites that have ‘vulnerabities’ to certain code.

Web Shells are generally applications you can use to access a websites documents, similarly how you would login to Google Drive. However web shells make use of programming language to access websites file servers. Web Shell Exploits are generally what you would normally picture as the ‘hacker’ you see in movies, with a matrix-like screen showing a black background and green scrolling lines of code (it’s not exactly like this, but it’s not far from it). Anyway, you can use ‘open source’ or ‘exploit code’ in web shells, however you normally need the credentials. Web Shell exploits are more commonly going to be Brute Force attacks.

Who Is Vulnerable To This Cyber Security Attack?

“The exploits relate to Telerik UI, Microsoft Internet Information Services, SharePoint, and Citrix. All exploits were publicly disclosed and have patches or fixes available.”

As far as I can see from the listed terms above, this cyber security attack is largely only going to affect the admin processing side of things and potentially some front-end website pages for government-related websites, however I can’t confirm this as I do not have access to specific information (back-end data/analytics). Furthermore, this is largely only going to affect the Government as they heavily rely on online Microsoft services for most admin-side related services, however some business may also be affected by what is happening or has occurred already.

It is my opinion there will be no issues with patient databases or sensitive personal information on your computer at home. It seems as though this exploit has only affected certain services. Personal information stored in hospitals shouldn’t be connected to Sharepoint or the other services that were mentioned. Hospital patient information across the departments Australia-wide, have hopefully  been developed using ASP.net and are not connected to Sharepoint (however I cannot confirm the Microsft’s ASP.net software the Government is using, is not vulnerable). ASP.net, Sharepoint and other Microsoft online services are the favoured technology used by the Government for development activities. How do I know? I have rebuilt a patient database/faciliation software for one of Queensland Health’s departments and when looking are applying for Government jobs almost all job specifications/requirements outline this technology.

Are You At Risk From The Security Attack?

Are individuals going to be affected? I cannot confirm anything as I do not know the extent of what has been breached, however by going off the terms outlined above, I would assume individuals (personal internet use at home) will not be affected.

Are businesses going to be affected? Any business using Citrix technology, ASP.NET or online Microsoft Services should spend time looking into the existing vulnerabilities and applying any updates/patches that are currently available for the software you are using. I would also recommend following any news released surrounding this cyber security attack.

What Does 'State-Based' Cyber Security Attack Mean?

I was left scratching my head a little by the mentioning of a ‘state-based cyber attack’ by Prime Minister Scott Morrisson. After receiving an explanation on the term ‘State-Based’, it is my understanding ‘State-based’ usually implies it’s (foreign) government (sanctioned) activity I.e. another country’s government is, in this case, performing malicious cyber activity trying to exploit Australian online resources.

Was this really a ‘state-based’ cyber security attack? Without access to the back-end server traffic/analytics/data there is not too much to confirm. However, ‘state-based’ cyber security attacks are extremely common and generally aren’t anything to be concerned about. There are also multiple ways of providing additional security measures to prevent these from happening. One recommendation: If it sensitive data that is local to Australia (i.e. patient information) that needs additional security, updating outdated/vulnerable software to newer technologies and moving from it’s reliance on Microsoft services only would be something to seriously consider. Setting up blocks to foreign ip addressses from being able to connected to sensitive data that is accessible by the internet (that don’t need to be distributed worldwide like patient data) is a vital security measure to prevent and block the attack that sounds like is happening.

Was This A Foreign Cyber Attack?

Without the specific details of the attack, there is no way to confirm whether or not this was “state-based”. However, looking at the digital attacks that were mapped on the 19/06/2020 there was actually very little malicious activity recorded on this date. There was mentioning in the news, that this was a “state-based” attack, inidicating it may have originated from China, although there is very little evidence publicly available, supporting this. It could have originated anywhere without more details surrounding this. In fact, on this day there was more malicious activity coming from Australia towards China, refferring to the image below (although this largely relates to DDOS attacks). Moving the map back a few days, you can a vast amount of activity originating from the USA and Nigeria.

CYBER ATTACK MAP JUNE 19 2020

CYBER ATTACK MAP JUNE 18 2020

SEE CYBER ATTACKS IN REAL TIME