In one major incident response, the ACSC writes of investigating and remediating the problems caused by the intrusion into a government network by a foreign state. Here the attack vector was Microsoft Office macros. No date was specified for this incident.
In July 2015, CERT Australia advised a financial services provider of a compromised domain controller on their network that was communicating with malicious domains. At the time of notification, it was believed this host had been compromised for at least a year. Once again, Windows malware was implicated.
In a third case, a company contacted CERT Australia for assistance in mitigating sophisticated spear phishing. A malicious email with an attached password-protected zip archive had been sent to a company manager. Analysis revealed that the attached zip archive contained a Windows screensaver file that would have appeared on the system as a PDF file.
Then in 2016, a staff member from a government organisation clicked on an Australia Post-themed email which infected their workstation with Cryptolocker, ransomware that only runs on Windows. At that time, the staff member’s workstation was simply re-imaged.
The ACSC said it had observed an increase of systems being exploited using PowerShell, a powerful shell scripting language developed by Microsoft, enabling network administrators to fully control Microsoft Windows systems easily.
The ACSC also wrote that it had attackers compromising Microsoft Outlook Web Application (OWA) servers and utilising Web shells for network persistence. OWA is a full-featured, Web-based email client where users can remotely access their emails, contacts, tasks and folders through a secure connection from anywhere with Internet access.
In another case reported on 4 August, the ACSC became aware that websites of various Canberra- based businesses — some close to government departments — were hosting an exploit kit redirect, the first step in compromising visitors. Subsequent analysis indicated that the exploit kit redirect was part of the Neutrino Exploit Kit.
In one case where Microsoft products are not mentioned, on 26 May, the ASD identified suspected malicious files present on a government network. Analysis confirmed these files were Flash files which enumerated browser details, encrypted them and passed them on to a server. Flash has been identified by the ACSC as a common attack vector. There are versions for all common operating systems.
In another case, the ACSC says it was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The ACSC’s investigation revealed the attacker used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise.
In late 2015, a payroll system utilised by a number of Australian based companies was compromised and the personal data of employees was obtained. The actors used the stolen information, including tax file numbers, to lodge fraudulent tax returns. The incident resulted in considerable financial and reputational damage to the companies affected by the compromise.
The ACSC must be commended on two fronts: firstly, for the sober tone in dealing with a subject that tends to get most people hyped up, and secondly, for packing so much information into a report that is just 28 pages long.