A storm is brewing in Australia, and it’s not COVID-19; but that may very well have been the trigger. Australia has recently brought to light a wide-scale attack across all levels of government, essential service providers, and private businesses across the country. Late last week, PM Scott Morrison rang the alarm bells that “Australia is under a sustained cyber-attack”. Many of the attacks made use of vulnerabilities in Microsoft IIS, Sharepoint and Citrix.
Dubbed Copy-paste Compromises, these attacks are not new, but the sounding of the alarm may indicate that the attacks are becoming more successful. Speculation in the media appears to point to an objective to compromise intellectual property in order to advance the attackers’ own industries, but we do not have enough information yet to be sure. These attacks may pivot to more destructive attacks including ransomware, crippling of critical infrastructure or impact to healthcare capacity.
Which industries are most vulnerable?
The challenge with cybersecurity is that most organizations take a back-seat approach, and wait for regulatory requirements to mandate testing. Australia has indicated their wide-spread attacks span industries including all levels of government:
“This activity is targeting organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.”
PM Scott Morrison, Australia source
An impact on the government and political organizations may have a critical impact on the way our democracies operate. While speculation remains that a cyber attack tipped the scales in Trump’s election, the resulting impact of many of these attacks in Australia are still to be determined. Based on our experience, service providers and their various supply chains pose a significant risk because of the potential impact they may have on businesses.
Managed Service Providers play a significant role in enabling technology across several industries. In most cases, they have remote access to their customers that if compromised, may have an exponential impact due to their level of privilege in the organizations they support. For example, if an MSP is compromised, it may enable wid-scale connectivity and control over hundreds of targets.
How are organizations compromised?
Australia labelled the attacks as “copy-paste compromises” alluding to the observation that the attacks made use of exploits already in the public domain. Based on what was disclosed, the attacks primarily make use of vulnerabilities in Microsoft IIS, Sharepoint and Citrix. The vulnerabilities being exploited have patches available which mean the attack did not require significant effort or zero-day exploits.
Zero-day exploits leverage unknown vulnerabilities to obtain unauthorized to target systems – and they’re particularly dangerous because there are no patches or signatures to detect their use which often enables an attack to go unnoticed for months.
At Packetlabs, we’ve found that most organizations are susceptible to phishing attacks, struggle to keep up with critical security patches, unnecessary exposure of internal services and often leave default credentials on sensitive systems. These often make the attackers’ job much easier; our objective is to do the opposite. Performing penetration testing on a recurring basis helps raise the bar, and reduce the likelihood of a successful cyberattack, and we have a lot of work to do.
How can businesses improve security and reduce risk?
Five controls that significantly reduce risk include annual penetration testing, frequent vulnerability scans, rapid application of security patches, hardening of systems, and multi-factor authentication. Each of these controls helps to reduce risk across organizations of all sizes.
Penetration Testing: The purpose of a penetration test is to explore your business from an attacker’s mindset. Not all attacks are focused on obtaining access to credit cards. A penetration test is your cyber-security fire drill that helps improve processes and reduce risk.
Vulnerability Management: Recurring vulnerability scans help keep patch management solutions honest. As outlined in prior articles, not all patch management solutions are effective or have coverage of third-party software packages like Adobe Reader and countless others. Also, insecure configurations and default credentials make it trivial for an attacker to obtain unauthorized access.
Security Patches: Several of the documented attacks make use of vulnerabilities that have had patches available for some time. Keeping our systems fully-patched can significantly reduce risk.
Security Hardening: Our applications and underlying operating systems are often insecure by default to make it easier to enable the myriad of features available, but this comes with a cost. Adopting a hardening standard helps to remove unnecessary services and effectively reduce the attack surface area.
Multi-factor Authentication: Passwords are often the weakest link. Employees are terrible at picking secure passwords, often reuse passwords, or keep passwords assigned through their enrollment process. Implementing two-factor authentication reduces the use of our passwords without the accompanying token, SMS code, or cryptographic certificate.
Adoption of these five alone will help reduce the likelihood of a compromise similar to the attacks unfolding in Australia, but on their own, they’re not enough. The SANS/CIS Critical Security Controls breaks down into three buckets, Basic CIS Controls, Foundational CIS Controls, and Organisation CIS Controls. The integration of all three of these areas is crucial to reduce risk and increase the effectiveness of our defences.
COVID-19 and cyber-attacks have lowered our walls and exposed several businesses to significant risks. Political tensions may have also triggered state actors to demonstrate a show of force. We collectively need to work together to improve the resiliency of our businesses to cyberattacks, preserve our freedom through our democratic processes, and ensure the stability of our critical infrastructure and healthcare. It is crucial for us to use this as an early warning, and take advantage of the opportunity to catch up on all of the foundational IT processes that we have been neglecting. Waiting for these approaches to be mandatory comes with a significant cost that far outweighs proactive investments.
At Packetlabs, we specialize in helping our clients reduce risk and improve cybersecurity through our ethical hacking engagements. We’d love to learn more about how we can help your business. If you have any questions or think we can help, please contact us.