Cyber attack Australia
Sophisticated attacks from ‘state-based actor’

A message from Outcomex.

As seen in the media on Friday, 19th July 2020, Australian Prime Minister, Scott Morrison announced that a wide range of political and private sector organisations in Australia have come under cyber attack carried out by a ‘sophisticated state-based cyber actor’.

What does this mean?

Our Prime Minister is referring to the Advanced Persistent Threat (APT)  described in Advisory 2020-008: Copy-paste compromises.

The above Threat Advisory explains in detail how to detect if you have been compromised by this attack (immediate action to be taken) and suggested mitigations (implementing the TTPs, patching, multi factor authentication (MFA), implementation of Essential 8 and establishing logging and monitoring).

Outcomex can help you

As leading Cyber Security experts with significant experience in deploying all the suggested controls, Outcomex is here to help you. If you would like more information around this media release and how it applies to you, or would like help in detecting these Indicators of Compromise (IOCs) in your environment or implementing any of the ACSC Recommended Prioritised Mitigations listed below, please contact:

1. Outcomex Service Desk
   Email: servicedesk@outcomex.com.au
   If you are already an Outcomex Managed Services customer
2. Your Outcomex Account Manager
3. Dmitry Butko
   Cyber Security Practice Lead, Outcomex
   Email: dmitry.butko@outcomex.com.au

ACSC recommended Prioritised Mitigations

The ACSC strongly recommends that organisations review and implement the identified TTPs, detection recommendations and indicators in this advisory and associated files to help identify malicious activity related to this campaign.

During the course of the APT investigation, the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.

1. Prompt patching of internet-facing software, operating systems and devices
All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.

2. Use of multi-factor authentication across all remote access services
Multi-factor authentication should be applied to all internet-accessible remote access services, including:

• web and cloud-based email
• collaboration platforms
• virtual private network connections
• remote desktop services.

3. ASD Essential Eight controls
Beyond the ACSC recommended key mitigations above, the ACSC also strongly suggests implementing the remainder of the ASD Essential Eight controls

4. Windows Event Logging and Forwarding and System Monitoring
During investigations, a common issue that reduces the effectiveness and speed of the investigative efforts is the lack of comprehensive and historical logging information across a number of areas including web server request logs, windows event logs and internet proxy logs. the ACSC strongly recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring.