ACSC details "copy-paste compromise" attacks

By Dylan Bushell-Embling
Tuesday, 22 September, 2020

The Australian Cyber Security Centre (ACSC) has provided more details of the cyber attack in June called out by Prime Minister Scott Morisson that the ACSC has called the "copy-paste compromise" campaign.

The sustained attack on Australian government agencies and customers involved extensive use of proof-of-concept exploit code, web shells and other tools copied almost identity from open source repositories.

The attack campaign used a number of initial attack vectors, including remote code execution vulnerabilities in unpatched versions of the Telerik UI application development toolkit.

Other vulnerabilities exploited in the campaign included a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the high-profile 2019 Citrix vulnerability.

Despite the copy-paste nature of the attack, the ACSC said the threat actor has shown the capability to quickly leverage public exploit proofs of concept to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services.

The actor has also shown skill at identifying development, test and orphan services hidden deep within the systems of victim organisations.

The ACSC has also found that the actor used various spearphishing techniques in cases where these attempts at exploits failed.

These techniques included links to credential harvesting websites, emails with links or attachments to malicious files, links prompting users to grant Office 365 OAuth tokens to the actor, and the use of email tracking services to identify the email opening and lure click-through events.

The attacker also used a mixture of open source and custom tools to gain persistence to a network once the initial intrusion was achieved.

"In interacting with victim networks, the actor was identified making use of compromised legitimate Australian websites as command and control servers," the ACSC said in its advisory.

"Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geoblocking ineffective and added legitimacy to malicious network traffic during investigations."

But curiously, the ACSC said that during its investigations, it had identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

Image credit: ©stock.adobe.com/au/Lasha Kilasonia