Security Market Segment LS
Thursday, 13 October 2016 12:02

Most threats detailed by ACSC work only on Windows


Most of the case studies of various cyber infringements detailed in the Australian Cyber Security Centre's 2016 report have one thing in common: they relate to threats that are only possible on Microsoft Windows systems.

In one major incident response, the ACSC writes of investigating and remediating the problems caused by the intrusion into a government network by a foreign state. Here the attack vector was Microsoft Office macros. No date was specified for this incident.

In July 2015, CERT Australia advised a financial services provider of a compromised domain controller on their network that was communicating with malicious domains. At the time of notification, it was believed this host had been compromised for at least a year. Once again, Windows malware was implicated.

In a third case, a company contacted CERT Australia for assistance in mitigating sophisticated spear phishing. A malicious email with an attached password-protected zip archive had been sent to a company manager. Analysis revealed that the attached zip archive contained a Windows screensaver file that would have appeared on the system as a PDF file.

When opened, it would have dropped a malicious executable and added a Microsoft update-themed shortcut to the system’s start-up folder to establish a persistent presence. The malicious executable would have sent encrypted beacons containing details of the infected system. It was a first-stage implant that could have been used to upload additional files and to execute commands on the infected host system.

Then in 2016, a staff member from a government organisation clicked on an Australia Post-themed email which infected their workstation with Cryptolocker, ransomware that only runs on Windows. At that time, the staff member’s workstation was simply re-imaged.

The ACSC said it had observed an increase of systems being exploited using PowerShell, a powerful shell scripting language developed by Microsoft, enabling network administrators to fully control Microsoft Windows systems easily.

The ACSC also wrote that it had attackers compromising Microsoft Outlook Web Application (OWA) servers and utilising Web shells for network persistence. OWA is a full-featured, Web-based email client where users can remotely access their emails, contacts, tasks and folders through a secure connection from anywhere with Internet access.

In another case reported on 4 August, the ACSC became aware that websites of various Canberra- based businesses — some close to government departments — were hosting an exploit kit redirect, the first step in compromising visitors. Subsequent analysis indicated that the exploit kit redirect was part of the Neutrino Exploit Kit.

In one case where Microsoft products are not mentioned, on 26 May, the ASD identified suspected malicious files present on a government network. Analysis confirmed these files were Flash files which enumerated browser details, encrypted them and passed them on to a server. Flash has been identified by the ACSC as a common attack vector. There are versions for all common operating systems.

In another case, the ACSC says it was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The ACSC’s investigation revealed the attacker used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise.

In late 2015, a payroll system utilised by a number of Australian based companies was compromised and the personal data of employees was obtained. The actors used the stolen information, including tax file numbers, to lodge fraudulent tax returns. The incident resulted in considerable financial and reputational damage to the companies affected by the compromise.


The ACSC must be commended on two fronts: firstly, for the sober tone in dealing with a subject that tends to get most people hyped up, and secondly, for packing so much information into a report that is just 28 pages long.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments