28/02/2022
Security Alert
On 23 February 2022, the ACSC released an Alert “Australian organisations encouraged to urgently adopt an enhanced cyber security posture”.
Below we will outline what to look out for and how to best protect yourself.
Initial access
Spear phishing emails may be sent with malicious attachments. The lures of the spear phishing emails can be tailored to the targeted organisation. files can contain an obfuscated Script, which seeks to mount a file, much like an external drive which in turn executes further scripts giving unauthorised access to hackers.
Threat actors (Cybercriminals / Hackers) use brute force techniques to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks.
Threat actors send spear phishing emails with links to malicious domains and use publicly available URL shortening services to mask the link. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link.
Threat actors use harvested credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs), to escalate privileges and gain access on exposed applications and to obtain credentials to access networks.
Actors have gained initial access to victim organisations by compromising trusted third-party software.
Persistence
In multiple instances, threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, they have also used “living off the land” techniques. Which means they use legitimate software and functions that are already on your computer Leaving no foreign programs behind for virus scanners to find.
Malicious actors have moved laterally through networks, compromised user and administrator accounts, hosts and servers including Domain Controllers. The actors have downloaded additional malware and continued to communicate with infrastructure that is known to be compromised or co-opted. The actors have scheduled and executed malicious PowerShell scripts and deployed malicious files and other tools in an attempt to establish persistence.
The actors have used a PowerShell to grant the 'ApplicationImpersonation' role to a compromised account.
Privilege Escalation
Malicious actors have targeted and compromised privileged Cloud Administrator’s systems and accounts. Subsequently, actors have attempted to generate various Azure Active Directory (AAD) tokens, create users,s and grate roles to users and applications to maintain persistence.
Credential Access
Malicious actors can operate an automated service, which allows them to conduct distributed and large-scale targeting using password spray and password guessing.
Lateral Movement
After some victims reset passwords for individually compromised accounts, the actors have pivoted to other accounts, as needed, to maintain access.
Collection
Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages, user profiles, and user emails.
Mitigation / How do I stay secure?
Don’t click a link or an attachment in an email that you are unsure of and if required contact the sender of the email over the phone to confirm the link is safe.
Be careful of what websites you visit.
Use a user account where possible and limit admin accounts and who has access to admin accounts on computers, so you are asked for admin credentials when downloading files and folders as this helps to prevent unauthorised users downloading Malware to your computer.
Setup two-step verification in as many places as possible including on your Microsoft 365 account.
If you have any concerns that your computer has been compromised, you are unsure of a link or attachment, or you just want someone to make sure your network and workplace is safe and secure contact us for a free security assessment.
Copyright © 2022 Aspire Technologies, All rights reserved. You are receiving this email because you opted in via our website or previous email, telemarketing campaigns.
Aspire Technologies is a Small Business Specialist and member of the Australian Joint Cyber Security Centre.
Our mailing address is:
Aspire Technologies
47A Brunel Rd
SEAFORD, VIC 3198
Australia
Ph. 03 9786 5750
