The extensive compromise of multiple web hosting providers and mitigation measures have been detailed in a report released today by the Australian Cyber Security Centre (ACSC).
The findings of the ACSC investigation, Operation Manic Menagerie, show that eight Australian web hosting providers were compromised, allowing a malicious actor access to customer websites.
‘The access was exclusively used to conduct criminal activity on the network and customer websites, using the reputation of these legitimate sites to add validity to their activities,’ Alastair MacGibbon, Head of the ACSC said.
‘Australia is the first country to identify and engage with victims about this activity. While the methods used are not new or sophisticated the use of them in the manner described in this report, and the victims they target, make this a significant achievement.’
‘The ACSC has played a crucial public safety role in investigating and working with the providers to better protect themselves.’
‘The ACSC advised the Australian hosting providers to conduct a risk assessment and consider whether there was a reporting requirement under the Notifiable Data Breaches (NDB) Scheme.
‘This cyber-criminal activity was detected by the ACSC working with a diverse range of information sources, including industry, government departments, law enforcement and information security bodies (both domestic and international).’
‘While we will not be identifying the web hosting providers, it is important to note that all affected web hosting providers were advised to take remediation actions and we commend them for working collaboratively with us to achieve such success.’
‘The ACSC will continue to lead the Australian Government’s efforts to improve cyber security and provide advice to stakeholders about how they can protect themselves online. Under the recent amendment to the Intelligence Services Act 2001, this includes supporting Australians to ensure the integrity of information that is processed, stored or communicated electronically,’ Mr MacGibbon added.
Giving up the GhOst
Hackers relied on vulnerabilities within web applications to gain initial access to web servers before installing malicious software.
Malware utilised by the hackers included password stealing tools, and the well-known “Gh0st” Remote Access Tool (RAT).
Gh0st provides cyber criminals with a range of tools, including remote access to victims systems. The malware is also used to both upload and download files without the user’s knowledge or consent.
‘The ACSC has provided a series of mitigation strategies for both customers and web hosting providers to help safeguard networks from future harm,’ Mr MacGibbon said.
‘It is important that we work with businesses to develop and share the tools and methods that will enable them to better protect themselves.’
‘Customers should patch web applications and content management systems (CMS), disable plugins, and reset user credentials to ensure their data is best protected.’
‘We recommend businesses use our Essential Eight mitigation strategies to help to prevent the spread of malicious code.’
Further detailed information can be found in the ACSC’s report.
About the Australian Cyber Security Centre
The ACSC leads the Australian Government’s efforts to improve cyber security. Cyber security is everyone’s responsibility. We work with business, government and academic partners and experts in Australia and overseas to investigate and develop solutions to cyber security threats.
Australian Cyber Security Centre: firstname.lastname@example.org; 1300 CYBER1 (1300 292 371)