Key learnings from the Australian Government Breach
by Tim Keeler, on Jun 23, 2020
The recent cyber campaign targeting Australian government networks should not come as a surprise to cyber security experts. The heavy use of spear-phishing for intrusion, credential harvesting for privilege escalation and lateral movement is in every adversary’s playbook. What is important to note is one’s exposure to this type of attack is not evident without an identity-centric view of the endpoint.
How did the adversary progress after successful intrusion?A key strategy of the adversary focused on harvesting valid credentials, enumerating network connected devices to determine where the accounts have privileged access, and abusing those accounts for lateral movement. The attackers leveraged seven unique methods to harvest and obtain valid credentials and laterally move across the network and target the Active Directory database.
One thing to note: The methods of lateral movement used in this attack would have evaded traditional privileged access management (PAM) solutions reliant on vaulting, session recording and jump-boxes:
While the actor does not appear to have bypassed two-factor controls to authenticate to a service, the ACSC did identify the malicious actor capturing and using an email-based verification code sent in response to the service detecting anomalous login activity.
Once initial access is achieved, the actor utilized a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.
How can future attacks like these be prevented?
This type of attack is preventable if privileged access is not available to attackers on a standing basis. Effective privileged access management solutions must be laser-focused on removing standing privilege and enforcing Just in Time Administration (JITA) with multi-factor authentication (MFA). This approach removes any authorization (and any chance of further exploitation) afforded to the credentials stolen by the adversary. This could have been achieved through role access restriction along with two-factor authentication.
It’s a hard lesson learned: Until privileged access is safeguarded the right way, with the right tools, we’ll continue seeing campaigns like this.