In light of the current situation in Ukraine, the Australian Cyber Security Centre (ACSC) is urging all Australian organisations to adopt an enhanced cybersecurity position.
Background
Over the past two weeks, an escalation in conflict between Russia and Ukraine has resulted in a significant increase in observed cyber attacks. From mid-February the Ukrainian Government and banking institutions have been experiencing a series of distributed denial of service (DDoS) attacks. More recently, a new wiper malware variant name HermeticWiper was discovered in Ukraine and a number of Ukrainian Government organisation websites have been defaced.
Many Western governments, including Australia, are now issuing warnings to prepare for cyber attacks that may disable, disrupt or destroy critical infrastructure. It is expected that future attacks may target Western nations in retaliation for sanctions imposed on Russia.
Whilst the ACSC is not aware of any current or specific threats to Australian organisations, it is expected that businesses may be affected through unintended disruption or uncontained malicious cyber activities. As such, the ACSC is recommending Australian organisations adopt an enhanced security posture and increase monitoring for threats.
What to expect
The following Tactics, Techniques and Procedures (TTPs) are likely:
- Initial access — Spear phishing emails may be sent with malicious HTML attachments or links to malicious domains, using URL shortening services to mask the link. Brute force techniques may be used to identify valid M365 or domain credentials, targeting VPN and other internet-facing services.
- Persistence — Threat actors have been observed maintaining persistent access for at least six months using a variety of downloaded malware, DLLs and PowerShell scripts.
- Privilege escalation — Cloud Administrators’ privileged accounts have been targeted to generate AAD tokens, create users and grant roles to users and applications.
- Credential access — Distributed and large-scale targeting using password spray and password guessing has been observed.
- Lateral movement — As compromised accounts are identified and have their passwords reset, threat actors have pivoted to other accounts to maintain access.
- Collection — M365 resources such as SharePoint pages, user profiles and emails may be accessed using compromised credentials.
How to stay secure
The ACSC recommends that organisations urgently adopt an enhanced cybersecurity posture through the following:
- Review the Indicators of Compromise (IOC) contained in ACSC’s advisory to determine if related activity has occurred on your organisation’s network.
- Ensure that logging and detection systems in your environment are fully updated and functioning and apply additional monitoring of their networks where required.
- Assess your preparedness to respond to any cybersecurity incidents, and review incident response and business continuity plans.
- Implement the Essential Eight mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline.
The ACSC is monitoring the situation and is able to provide assistance or advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).
You can find the full ACSC advisory here.
Sources:
ACSC - 022-02: Australian organisations should urgently adopt an enhanced cyber security posture - https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-02-australian-organisations-should-urgently-adopt-enhanced-cyber-security-posture
Palo Alto Networks Unit 42 - Russia-Ukraine Crisis: How to Protect Against the Cyber Impact (Updated Feb. 24 to Include New Information on DDoS, HermeticWiper and Defacement) - https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/