Australian ACSC ‘s report confirms the use of Chinese malware in recent attacks

Australian ACSC published a detailed report on the techniques, tactics, and procedures associated with the threat actor that targeted organizations in the country.

Recently, Australia ‘s prime minister Scott Morrison revealed that a “state-based actor” is targeting government, public services, and businesses.

Warning Australians of “specific risks” and an increased frequency of attacks, the Australian government is working on “specific risks” related to a significant increase in the number of targeted cyber attacks against sensitive institutions and organizations in almost any industry, Morrison told an organised press conference

Morrison highlighted that the attackers have been orchestrated by a sophisticated nation-state actor, but did not attribute it to a specific foreign state. Senior sources told Australia’s ABC News that China-linked APT groups may have been involved in the attacks.

Attackers employed modified proof-of-concept exploit code for known vulnerabilities, experts reported that attackers targets public-facing infrastructure. In many cases, attackers targeted unpatched versions of Telerik user interface (UI) by exploiting CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, CVE-2017-11357 vulnerabilities.

Experts from the Australian Cyber Security Centre (ACSC) discovered that the attacker also exploited a Microsoft SharePoint Remote Code Execution Vulnerability tracked as CVE-2019-0604 and the CVE-2019-19781 vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

In other attempts detected by ACSC, threat actors launched spear-phishing to harvest credentials, deliver malware, and steal other sensitive data from the victims.

“The ACSC has identified instances where users have executed malware embedded in email attachments. The text of the email provides the user with a plausible reason to open the attachment. Once opened, the malware will exploit an existing vulnerability or execute directly on the user’s system.” reads the alert issued by the ACSC.

The ACSC pointed out that the attackers did not carry out any disruptive or destructive activities within victim environments.

The threat actors used malware (i.e. Korplug, PlugX) that has been associated with Chinese APT groups, such as OceanLotus, to load a Cobalt Strike payload.

According to the ACSC experts, attackers also use the open-source PowerShell Empire post-exploitation framework.

Once gained a foothold inside the victim network, the attackers attempted to escalated privileges to SYSTEM using common tools, including Juicy Potato and RottenPotatoNG utilities.

The attackers’ arsenal also includes numerous web shells used to maintain access to compromised hosts.

The full report published by ACSC on the techniques, tactics, and procedures associated with the threat actor that targeted organizations in the country is available here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ACSC)

[adrotate banner=”5″]

[adrotate banner=”13″]