Here’s what you need to know about the cyber threat facing Australia right now…and what you can do to make sure your guard is up!
Last week, the Australian Federal Government took to almost unprecedented (there’s that word again!) step of publicly announcing that Australian government agencies, essential service providers and even businesses are collectively the subject of large-scale ongoing cyber attacks by a state-based malicious actor.
When Prime Minister Scott Morrison took the major step in calling out the scale of the cyber threat facing Australia publicly he was doing 3 things. Firstly, by stopping short of naming the actor in question by a process of elimination by capability, he demonstrated that the Australian government is ready to play some political hard ball.
But even more relevant to Australian’s trying to keep businesses and our economy viable in these already trying times, he achieved 2 more wins.
- He provided a level of transparency into the Australian Government, in particular the Australian Signal’s Directorate’s work and approach to monitoring and maintaining Australia’s cyber defenses; and
- He thrust into the spotlight, in a very major way, the risks of letting your IT security guard down!
What do we know so far about the cyber threat Australia is facing?
The Government’s announcements were, by their own clarification, not prompted by any one single past or imminent incident, but rather a series of increasingly pervasive, ever larger scale, more brazen attacks staged and detected over the course of several months.
Even more interesting is that the malicious actors relied heavily on already published and available techniques and codes. This included the exploitation of already known vulnerabilties for which previous updates and patches have already been made available, but that may not have been proactively applied by the affected organisations.
Aptly named Advisory 2020-008: Copy-Paste Compromises, in this instance our adversaries literally “copied and pasted” exploits and vulnerabilities already openly known and available, and ran with it…with great success it would seem.
What can you do to protect your business and operations?
Step 1. Keep calm…but take action NOW…
This is not a new threat, and the techniques used are nothing new, so it is not a time for panic. But by the same token, this also means that the ways and means to protect your business are already available. There are actions you need to review and steps you can and must take right now to eliminate any vulnerabilities you may be exposed to.
- Apply any patches or updates available
Especially in relation to key identified services in the advisory (Telerik, SharePoint and Citrix Gateway, etc.) The current attacks are not especially sophisticated, but they are leveraging vulnerabilities for which patches were released in 2019. If you are not in a regular routine of automatically applying patches and updates, it’s time to
- Patch those services implicated in this advisory right now (or disable services immediately if you are unable to do so);
- Ensure that patching and updates are applied regularly, routinely and automatically going forward.
- Implement MultiFactor Authentication (MFA)…yesterday.
It is interesting to note that compromised government agencies gave the same reason as every other organisation for not having implemented MFA to date – that their people will find it annoying having to enter a code or authenticate by another means every time they need to log onto something!
We’re sorry but we’re calling time-out for this excuse across the board!
MFA is now a non-negotiable. It is the best and most reliable means we have at this point in time to prevent credential compromises and credential harvesting at the end-user level, especially those that result from Phishing emails, which were also identified as key to this particular attack model.
There are a multitude of ways to set up MFA to suit your organisation and the individuals within into – push notifications to mobile devices, SMS notifications, call-backs, tokens – it’s time to pick your poison and just get it done!
- Revisit how you are scanning and blocking email attachments
Macro-enabled (.dotm or even some older .doc) documents attached to emails have long been identified as a key attack vector. There is little need to allow macro-enabled documents at all, and alongside this, incoming emails and attachments should be being scanned, filtered and managed automatically across multiple layers of your IT security set-up.
Interestingly enough each of these 3 resolves are central to Australia’s Essential Eight Strategies for the Mitigation of Cyber Incidents.
The fact that the key points of entry in this attack would have been readily blocked had the Essential Eight been actioned, is probably the most important message to businesses right now.
(We will refrain from any further commentary here on the unfortunate lack of adherence to these strategies by Government agencies themselves…)
Step 2. Carry on looking more closely at what your IT security “stack” actually does for you
The 3 actions in Step 1. cover off on some of the main entry points for the attack as it has been assessed to date. But what we know about cyber incidents, is that the getting in is one thing – what malicious actors then do in your system and with your data is yet another.
The full advisory report provides extensive detail on how and what these malicious actors were doing to increasing their reach and launch further attacks once they had gained initial access to systems and the complexity that lies around detecting and remediating those actions.
IT security is all about layers – a “stack” or suite of solutions designed to ensure that if something makes its way through one access point, it is stopped by the next. The Essential Eight is a great starting point, but they represent the absolute bare minimum set of protections businesses should have in place.
It’s probably fair to assume that organisations that don’t have those 8 covered off are unlikely to have the right layers in place that would prevent malicious actors from moving through their systems with speed an anonymity.
Remember: Timing is Everything, Awareness is 90% of the Battle & Consistency is Key!
We get it – times are tough, businesses are under financial pressure like never before and fighting just to come out the other side. But allowing your business to be blind-sided by a cyber incident right now is a risk that may prove just as costly and detrimental to your business, its financial standing, operations or reputation as COVID-19 itself.
So our advice right now is most definitely to keep calm…
But to use this incident as a perfectly timed trigger to
- prioritise getting the right IT security layers in place to protect your business,
- start talking about IT security awareness and its importance across all layers of your business, and
- start leveraging next-generation tools designed to automate the protect, detect, respond process faster, better and even preemptively!