Juan J. Monroe 
The Australian Cyber Center has issued a high alert notice to help Australian organizations detect destructive Russian malware used to target sites in Ukraine. “Australian organizations should urgently adopt a strengthened cybersecurity posture,” he said.
(image: CCAA)
“Organizations should act now and follow the advice of the ACSC to improve their cybersecurity resilience in light of the heightened threat environment,” the ACSC said. “While the ACSC is not aware of any current or specific threats to Australian organizations, the adoption of a strengthened cybersecurity posture and increased threat monitoring will help reduce the impacts on Australian organizations.
“The ACSC is aware of reports that threat actors have deployed destructive malware to target organizations in Ukraine. This advisory provides additional Indicators of Compromise (IOCs) to help organizations detect WhisperGate and HermeticWiper destructive malware.
“Destructive malware can pose a direct threat to an organization’s day-to-day operations, affecting the availability of critical assets and data.
“Australian organizations must continue to remain vigilant against the threat of ransomware. Threat actors suspected of being associated with Conti have claimed they will target unspecified critical infrastructure in response to cyber or military actions against Russia The CCAA has published a profile on Conti’s background, threat activity and mitigation tips. Tactics, techniques, and procedures associated with Conti ransomware are included in the profile.
“This notice has been compiled with respect to the MITER ATT&CK® framea globally accessible knowledge base of adversary tactics and techniques, based on real-world observations, and draws on information from ACSC partner agencies and AI sources industry. »
First access:
Spear phishing emails can be sent with malicious HTML attachments. The lures of spear phishing emails can be tailored to the targeted organization. HTML (.html) files can contain an obfuscated JavaScript payload, which seeks to mount an .ISO file, much like an external player. A .lnk file executes a hidden .dll file, which in turn executes other payloads such as Cobalt Strike.
Threat actors use brute force techniques to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, actors use them to gain initial access to networks.
Threat actors send spear-phishing emails containing links to malicious domains and use publicly available URL shortening services to hide the link. Embedding shortened URLs instead of malicious actor-controlled domains is an obfuscation technique intended to circumvent virus and spam scanning tools. The technique often promotes false legitimacy with the email recipient, increasing the likelihood that a victim will click on the link.
Threat actors use credentials collected in conjunction with known vulnerabilities, for example, CVE-2020-0688 and CVE-2020-17144, on public applications, such as virtual private networks (VPNs), to elevate privileges and obtain remote code execution (RCE) on exposed applications. Additionally, threat actors exploited CVE-2018-13379 on FortiClient to gain credentials to access networks.
Actors gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include MEDoc accounting software and SolarWinds Orion.
The ACSC is monitoring the situation and is able to provide assistance or advice as needed. Organizations that have been affected or need assistance can contact the CCAA via 1300 CYBER1 (1300 292 371).
