Australia cyberattack exploited vulnerability usually used in cryptojacking malware attacks
The Australian Cyber Security Centre revealed that hackers exploited known vulnerabilities in the Telerik user interface.
Mon, 29 Jun 2020, 08:42 am UTC
The cyberattacks on Australian networks last June 19 were done by a group “state actors,” according to a recent report released by the Australian Cyber Security Centre. The ACSC said that the attack exploited one of the vulnerabilities usually used to infect systems with cryptojacking malware, Cointelegraph reported.
The ACSC, which released the 48-page report on June 24, revealed that the hackers exploited four critical vulnerabilities in the Telerik user interface called CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, and CVE-2017-11357, according to BleepingComputer.
The CVE-2019-18935 vulnerability has been leveraged by hackers in past attacks and was used to infect systems for cryptocurrency mining purposes. For instance, the vulnerability was used by the Blue Mockingbird hacker group to infect Monero (XMR) crypto mining software XMRRig into thousands of systems.
However, the Australian Cyber Security Center report did not specifically state that the recent attacks on Australian networks were used to install cryptojacking malware. It must also be noted that the report did not claim Blue Mockingbird as a participant in the attacks.
The report also stated that there were other methods of attack attempted by the hacker in the June 19 incident. Thankfully, these methods did not achieve its objective.
“Other exploit payloads were identified by the ACSC most commonly when the actor’s attempt at a reverse shell was unsuccessful,” the report said. “These included: a payload that attempted to execute a PowerShell reverse shell; a payload that attempted to execute certutil.exe to download another payload; a payload that executed binary malware (identified in this advisory as HTTPCore) previously uploaded by the actor but which had no persistence mechanism; a payload that enumerated the absolute path of the webroot and wrote that path to a file within the web root.”
Based on its investigations, ACSC also made recommendations on how to mitigate the risk of compromise. One key area is the “prompt patching of internet-facing software, operating systems, and devices.” This also involves using the latest versions available for software and operating systems.
Another method that could reduce the risk of potential breaches is the “use of multi-factor authentication across all remote access services.” These include web and cloud-based email, collaboration platforms, virtual private network connections, and remote desktop services.
“It is imperative that Australian organizations are alert to this threat and take steps to enhance the resilience of their networks,” the ACSC warned. “Cybersecurity is everyone’s responsibility.”
<Copyright © TokenPost. All Rights Reserved. >