Detection and mitigation recommendations
It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.
ACSC recommended prioritised mitigations
During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.
Prompt patching of internet-facing software, operating systems and devices
All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.
Use of multi-factor authentication across all remote access services
Multi-factor authentication should be applied to all internet-accessible remote access services, including:
- web and cloud-based email
- collaboration platforms
- virtual private network connections
- remote desktop services.
ACSC recommended additional mitigations
Beyond the ACSC recommended key mitigations above, the ACSC strongly recommends implementing the remainder of the ASD Essential Eight controls.
During investigations, a common issue that reduced the effectiveness and speed of investigative efforts was the lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs. The ACSC strongly recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring.
ACSC recommended detection advice
Where available, campaign activity-specific and practical detection techniques have been included in this advisory. This advisory does not attempt to include detection technique recommendations for all ATT&CK techniques identified. For general detection and mitigation advice, please consult the ‘Mitigations’, ‘Data Sources’ and ‘Detection’ sections on each linked MITRE ATT&CK technique web page.
The ACSC strongly recommends that organisations review and implement the identified TTPs, detection recommendations and indicators in this advisory and associated files to help identify malicious activity related to this campaign.
Indicators of compromise
This advisory contains some indicators in the body of the advisory, however this is not an exhaustive list and are included for illustrative purposes. The full list of indicators of compromise and signatures associated with this campaign are available in the associated indicators released under the 2020-008 identifier.
Incident reporting
If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC or calling 1300 CYBER1 (1300 292 371).
Becoming an ACSC Partner
The ACSC encourages all eligible organisations to become an ACSC Partner. As a partner, you will automatically receive threat intelligence, consisting of context-rich, actionable and timely information in a variety of formats, including advisories and automated indicator sharing.
Further information
The table of contents of the complete advisory, including indicators of compromise and code examples, is below. See the PDF or Word versions for full details.
Table of contents
- Initial access
- Execution
- Persistence
- Privilege escalation
- Defence evasion
- Credential access
- Discovery
- Lateral movement
- Collection
- Command and control
- Exfiltration
- Impact
- Appendix A – Web shells
- Appendix B – HTTPCore malware
- Appendix C – Malicious Office macros
- Appendix D – PowerShell Reverse Shell
- Appendix E – LibraryPSE – PowerShell Empire
- Appendix F – HTTPotato
