In an advisory published by the Australian Cyber Security Centre (ACSC) in collaboration with the Australian Government warns of “copy-paste compromises” been used to target Australian networks. What the advisory terms “copy-paste compromises” is derived from threat actors using known proof of concept exploit code and copied open source tools. In an associated advisory which goes into much greater detail about the attacks, the attacker's tactics were summarized as,
“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability…The actor has shown the capability to quickly leverage public exploit proof of concepts (POCs) to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”
Those behind the attacks on Australian networks have been described as “sophisticated” but no mention as to who is responsible or might have been made in the government-issued advisories. While no official mention as to who may be responsible is made by authorities how the attacks occur is detailed. The attacker more often than not relies upon remote code execution flaws specific to unpatched versions of the Telerik User Interface. The vulnerabilities targeted by the attacker includes CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, and CVE-2017-11357. It should be noted that that the flaws targeted by the attackers have been known for some time, with two, in particular, dating back to 2017, all with proof of concept code readily available and been used by hackers in the past to compromise other networks.
Other vulnerabilities targeted by the attack include a ViewState deserialization vulnerability in Microsoft Internet Information Services (IIS) for uploading a web shell, a 2019 Microsoft SharePoint vulnerability, CVE-2019-0604, and the CVE-2019-19781 vulnerability found in Citrix commonly referred to as the ADC bug. All of the flaws targeted by the attacker are deemed critical or serious as they readily allow for remote code execution.
If the attacker failed to take advantage of any of the flaws mentioned above they refused to give up. The attackers show their tenacity by adopting a variety of spear-phishing tactics to gain critical credentials for compromising networks. These techniques included links to credential harvesting websites, emails with links to malicious files, or with the malicious file directly attached, links prompting users to grant Office 365 OAuth tokens to the actor, and use of email tracking services to identify the email opening and lure click-through events. Only once initial access could be granted to a victim’s network would the attacker move to the next phase of the campaign. This involves using a mixture of open source tools as well as custom tools for compromising the network further. To get remote access to the network the attacker will use legitimate tools making detection of an intruder far more difficult.
Open Source Tools
As mentioned above once access to the network is achieved the attacker switches to open source tools to increase privileges. This is done using JuicyPotato and RottenPotatoNG utilities, both of which are freely available via GitHub. Further, ACSC also detected the use of the open-source project PowerShell Empire post-exploitation framework, abandoned by its original developers in August last year and ported to Python3 by BC Security in December the same year. The use of PowerShell Empire has previously been abused in numerous other malware campaigns in the past, including banking malware and ransomware. This is followed by the dropping of several web shells, likewise open source tools, to grant remote access.
It is not just open source tools that make up the attacker's toolbox. One of the web shells used proved to be a relatively well-known piece of malware known for its use by an Iranian state-sponsored threat actor. This being HighShell and was made infamous by APT34, also called OilRig, which was later leaked to the public by Lab Dookhtegan in April 2019 to disrupt the hacking activity of the Iranian government. Despite this, the malware which can be used for command execution, file upload and download, the ability to connect to and query a SQL server, time stomping, and act as a file browser is not readily detectable by a number of malware engines. According to Virus Total only 31 out of 59 malware engines detect the web shell as malware despite being leaked and used by a known advanced persistent threat group.
As it is not detected by close to half of the popular malware engines probably lends itself to being favored by those currently attacking Australian networks, due to the fact that without much effort and by using publically available code the attacker can evade detection. This has another advantage in that by using code so freely available attributing the attack is again made harder as there will be fewer clues pointing to a specific threat actor.
The official releases by the Australian Government make no assumptions, or even assertions, as to who is responsible for the attacks on Australian government departments and businesses. However, sources told ABC News which later published an article that Chinese state-sponsored groups are believed to be behind the attacks. The evidence for this belief resides in the use of one piece of malware known to be used by Chinese hackers further believed to have links to the state. In the indicators of compromise published by ACSC, a sample gathered a fair amount of attention by researchers when published, when Virus Total is used the sample is detected as Korplug which is known to be used by OceanLotus a state-sponsored hacking group believed to be based in Vietnam. According to an ESET report the malware is a backdoor and is described as,
“Once decrypted, the backdoor takes a fingerprint of the system. It sends home various data, such as the computer and user names and the operating system version, before waiting for commands to carry out its main mission…A number of domain names and IP addresses are used for the command-and-control (C&C) infrastructure. All communication with the C&C servers is encrypted. It can be readily unscrambled, however, as the decryption key is prepended to the data. Our deep dive (see the link below) into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations. The group clearly goes to great lengths in order to bypass detection for its malware and, ultimately, to ‘muddy the waters’ for researchers.”
Korplug is fundamentally similar to PlugX as both share a specific DLL side-loading technique. It is assumed by certain sectors of the InfoSec community that the Korplug detected is actually a sample of PlugX. The malware called PlugX has been around since at least 2008 and is mentioned in numerous reports from cybersecurity companies on attack campaigns linked to China. In the attacks reported by the ACSC, the malware was used to load a Cobalt Strike payload. Since then PlugX has been seen used by multiple Chinese threat actors and is included in the following group’s toolsets:
- APT41 (a.k.a. Barium, Blackfly, Group 72, Wicked Panda, Bronze Atlas)
- Deep Panda (a.k.a. Shell Crew, Bronze Express, Kung Fu Kittens, Black Vine, PinkPanther, WebMasters)
- APT19 (a.k.a. Codoso, Sunshop Group, Bronze Firestone, C0d0so0)
- APT17 (a.k.a. Deputy Dog, Tailgater Team, Bronze Keystone)
- Suckfly (a.k.a. Bronze Olive)
- DragonOK (a.k.a. Danti, Bronze Overbrook)
- Mustang Panda (a.k.a. Bronze President)
- APT10 (a.k.a. Stone Panda, MenuPass, Potassium, Bronze Riverside, Hogfish, Red Apollo)
- APT27 (a.k.a. Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, TG-3390)
- Roaming Tiger (a.k.a. Rotten Tomato, Bronze Woodland)
Given the recent cooling of the relationship between China and Australia over the COVID-19 pandemic there is perhaps more reasons to think that China is behind the recent attacks on Australian interests. To say this for certain given the lack of evidence is unwise and the Australian Government’s unwillingness to point the finger may be an indication of wider geo-political factors the government is concerned with.