June 2020 Cyber Attack Against Australian Assets
On 19th June 2020, the Australian Government announced the detection of an increase in cyber attacks against Australian businesses and Government. Although cyber attacks are happening all the time, the increase is significant due to its size, scale and the apparent involvement of a “nation-state actor”. This attracted a lot of mainstream media attention (ABC.)
Cadzow TECH has reviewed the information published by the Australian Cyber Security Centre (Advisory 2020-008) and provides the following information for its clients.
This document begins with some simple advice for all users and continues with more detail — please read the first section if nothing else.
What Can I Do?
The simple, immediate actions everyone can take are:
- Be vigilant about links and attachments in email — don't click on linkes or open attachments. If in doubt about something you've received, ask us.
- If your computer is prompting to restart to apply updates, let it restart. This ensures the machine has the latest security updates.
Less simple and more time-consuming but extremely valuable:
- Update all your passwords for internet services, particularly personal (non-business) email accounts. The passwords should be random and unique (don't use the same password twice).
What Is The Attack?
Reportedly, the attack uses a variety of techniques to gain foothold in systems, from phishing (to obtain credentials), malware-laden emails to run code on the user's system and attacks against vulnerable servers. Once the attacker has gained entrance to a system, they use a variety of techniques to spread across the network and gain further traction. It's not clear what the point of the intrusion is, as it is does not seem to be ransomware, which would provide a financial reason. But due to the presence of the “nation-state”, the point may be to simply gain footholds in many systems or cause disruption.
A lot of the attack vectors are well-known and the ACSC makes a lot of mentions of techniques being “not novel”. There are attempts to exploit known vulnerabilities, social-engineering using phishing emails and stolen credentials.
What Is Cadzow TECH Doing?
Organisations on management plans by Cadzow TECH are already in a good position to stay safe. We employ a number of techniques to improve safety, including:
- Regular, automated checks on machines that operating systems and other applications are up-to-date;
- Manual performance of maintenance to ensure systems are up to date;
- Automated user notifications to update various applications when necessary (eg. browsers);
- Attack surface reduction on workstations with various lockdown settings — for example, attachment blocking, locking down scripts, PDF files;
- Additionally, we temporarily activated our “outbreak” mode for management which further reduces access to attachments in email;
- Regular automated checks against online assets such as domain names, to ensure the settings have not been changed;
- Internet-exposed services are tightly firewalled where possible;
- Administrator-assigned passwords are unique and random in all cases;
- Most of our clients use Office 365 email services which is very good at filtering malware and phishing; and
- We welcome queries from our clients with concerns about suspicous things (mostly emails).
It is important to note that while Cadzow TECH applies various techniques to reduce attack surfaces, they cannot be eliminated. There are always attack surfaces. Additionally, the settings we use are not necessarily as tight as possible. Some organisations run their IT systems in an extremely locked-down manner. Our default management style is to reduce attack surface while enabling users to perform their work without much hindrance. However we continually monitor this and make changes from time to time.