The Australian Cyber Security Centre has issued a High Alert Advisory to help Australian organisations detect destructive Russian malware being used to target sites in Ukraine. “Australian organisations should urgently adopt an enhanced cyber security posture," it said.
(image: ACSC)
“Organisations should act now and follow ACSC’s advice to improve their cyber security resilience in light of the heightened threat environment,” the ACSC said. “While the ACSC is not aware of any current or specific threats to Australian organisations, adopting an enhanced cyber security posture and increased monitoring for threats will help to reduce the impacts to Australian organisations.
“The ACSC is aware of reporting that threat actors have deployed destructive malware to target organisations in Ukraine. This advisory provides additional indicators of compromise (IOCs) to assist organisations to detect WhisperGate and HermeticWiper destructive malware.
"Destructive malware can present a direct threat to an organisation’s daily operations, impacting the availability of critical assets and data.
"Australian organisations should continue to maintain vigilance to the threat of ransomware. Threat actors believed to be associated with Conti have claimed they will target unspecified critical infrastructure in response to cyber or military actions against Russia. The ACSC has published a profile on Conti’s background, threat activity, and mitigation advice. Tactics, techniques and procedures associated with Conti ransomware is included in the profile.
"This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, and draws on information derived from ACSC partner agencies and industry sources."
Initial access:
Spear phishing emails may be sent with malicious HMTL attachments. The lures of the spear phishing emails can be tailored to the targeted organisation. HTML files (.html) can contain an obfuscated JavaScript payload, which seeks to mount an .ISO file, much like an external drive. A .lnk file executes a hidden .dll file, which in turn executes further payloads such as Cobalt Strike.
Threat actors use brute force techniques to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks.
Threat actors send spearphishing emails with links to malicious domains and use publicly available URL shortening services to mask the link. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link.
Threat actors use harvested credentials in conjunction with known vulnerabilities—for example, CVE-2020-0688 and CVE-2020-17144—on public-facing applications, such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on exposed applications. In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks.
Actors have gained initial access to victim organisations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.
The ACSC is monitoring the situation and is able to provide assistance or advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).
