A recent report from the Australian Cyber Security Centre (ACSC) shows that there is a significant vulnerability that is related to the different attacks that cybercriminals are sending using cryptojacking malware.
The report highlights various tactics, techniques, and procedures (TTPs) used by the criminals to exploit their victims which mainly include Australian networks. ACSC said that a group of ‘state actors’ hacked the networks on June 19. In the reported incident, they targeted a vulnerability that is linked with the cryptojacking malware attacks.
Australia’s government is currently aware of this matter and it is responding to it accordingly. The activity by these hackers represents a highly coordinated cyber-targeting activity against several Australian institutions according to the government.
The term ‘Copy-Paste Compromises’ arises from the actor’s extensive use of the web shells, proof of concept exploit code, and many other tools copied almost similarly from open source.
According to the 48-page report released on June 24, these state actors targeted four crucial vulnerabilities in Telerik UI. CVE-2019-18935 is one of the exploited vulnerabilities that recently got leveraged by the Blue Mockingbird malware band. This gang utilized the method to infect numerous systems using a Monero (XMR) mining software, XMRRig.
Vulnerabilities Normally Affected By Cryptojacking Activities
The report does not indicate whether the cybercriminals managed to install cryptojacking malware in the recent massive cyberattack. But, this vulnerability is the preferred strategy used by these criminals to install different types of crypto-mining applications within corporate networks.
The report dived deep into the CVE-2019-18935 vulnerability. It shows that vulnerability has many similarities with the ones that came up on the Blue Mockingbird’s attack. But, it does not suggest that this gang participated in the cyberattack that targeted Australia:
“Other exploit payloads were identified by the ACSC most commonly when the actor’s attempt at a reverse shell was unsuccessful. These included: a payload that attempted to execute a PowerShell reverse shell; a payload that attempted to execute certutil.exe to download another payload; a payload that executed binary malware (identified in this advisory as HTTPCore) previously uploaded by the actor but which had no persistence mechanism; a payload that enumerated the absolute path of the web root and wrote that path to a file within the web root.”
How They Operate
These cyber attackers show the capability of quickly leveraging public exploit proof of concepts (POCs) to target networks. They often conduct reconnaissance of target networks seeking vulnerable services and probably maintain a list of several public-facing services to rapidly target following future vulnerability releases.
The criminals also show an aptitude for identifying test, development, and orphaned services that are ideally known or maintained by the targeted organizations. When the exploitation did not succeed, the ACSC has identified that the cybercriminals are utilizing different spear phishing methods. This strategy takes the shape of:
- Emails that contain links to malicious files or even the malicious file is directly attached
- Links to credential harvesting sites
- Use of email tracking services that identify the email opening and lure click through events
- Links that prompt users to grant Office 365 Oauth tokens to the actor
After gaining access, the actors used a combination of custom and open source tools to persist on and frequently interact with the victim network. Even though these tools are placed on the network, the hacker migrates to legitimate remote accesses using the stolen credentials.
The cyberattacker was identified as using compromised legitimate Australian sites as control and command servers while interacting with victim networks. In general, the command and control were done using web shells and HTTP/HTTPS traffic. The attack method renders geo-blocking ineffective and it increased legitimacy to malicious network traffic in the course of investigations.
In its research, the ACSC discovered that there was no intention by the criminals to conduct any destructive or disruptive activities inside the victim environments.
Did China’s State Actors Launch This Attack
Almost 10 Chinese hacker groups have the PlugX malware among their weapons. The groups engaged with espionage activities and allegedly have majorly strong ties with the Chinese government. PlugX was one of the malware that was identified in the ACSC report.
Many of the Australian officials are convinced that China may be behind the widespread cyberattack. They suggested this probability referring to the diplomatic challenges that have been surging between the two nations.
That attack might have happened after Australia insisted on the launch of investigations that target the origin of the COVID-19 pandemic. The investigation did not go down too well with the Chinese officials.
China referred to the investigation as a ‘discriminatory’ accusation and it responded quickly to severe trade retaliations against the Oceanic country. Nevertheless, China’s government has denied these claims of hackers.