The government is currently responding to a sustained cyber targeting of Australian networks by a sophisticated actor.
The Australian Cyber Security Centre (ACSC) has released an advisory stating that the actor has been targeting public-facing infrastructure — including exploiting vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.
The ACSC has made it clear that it is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.
The ACSC has also identified the utilising various spearphishing techniques in this series of continuing attacks:
- links to credential harvesting websites
- emails with links to malicious files, or with the malicious file directly attached
- links prompting users to grant Office 365 OAuth tokens to the actor
- use of email tracking services to identify the email opening and lure click-through events.
ACSC recommended prioritised mitigations
During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.
Prompt patching of internet-facing software, operating systems and devices
Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.
Use of multi-factor authentication across all remote access services
Multi-factor authentication should be applied to all internet-accessible remote access services, including:
- web and cloud-based email
- collaboration platforms
- virtual private network connections
- remote desktop services.