The Australian government has released a 48-page report describing the techniques, tactics, and procedures associated with threat actor that targeted organizations and companies in Australia. According to the report, behind the cyber campaign is a sophisticated state-based actor, which has been observed using “proof of concept exploit code, web shells and other tools copied almost identically from open source.”
The malicious actor targets public facing infrastructure, primarily via RCE-vulnerabilities in unpatched versions of Telerik user interface (UI). These vulnerabilities are CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, CVE-2017-11357, exploit code for which is publicly available.
In other cases the threat actor has been observed targeting public facing infrastructure using a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability (CVE-2019-0604) and the 2019 Citrix vulnerability (CVE-2019-19781).
“The actor has shown the capability to quickly leverage public exploit proof of concepts (POCs) to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations,” according to the report.
If the attacker fails to compromise the target infrastructure using the exploits, the threat actor turns to spear phishing attacks that involve the use of links to credential harvesting websites; emails with links to malicious files, or with the malicious file directly attached; links prompting users to grant Office 365 OAuth tokens to the actor; use of email tracking services to identify the email opening and lure click through events.
Once gaining access to a target network, the malicious actor leveraged open source and custom tools to achieve persistence on a system and interact with the victim network. Within the victim network, the attackers attempted to escalate privileges to SYSTEM using common tools, including Juicy Potato and RottenPotatoNG utilities.
According to the ACSC, the attackers did not carry out any disruptive or destructive activities within victim environments. In observed attacks the threat actors used the Korplug malware (aka PlugX) which is a Remote Access Tool (RAT) that has been associated with Chinese APT groups, such as OceanLotus, to load a Cobalt Strike payload.
The attackers also have been observed using the open-source PowerShell Empire post-exploitation framework.