WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 16, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
This week, the Australian National University (ANU) published a report on an intrusion into their networks that occurred in 2019. Whilst the attackers had access to data from the university going back 19 years, the ANU report that they cannot accurately ascertain specifically which data was taken. What they do know however is that the attackers were targeting a system which stored the Personally Identifiable Information (PII) and commercial information for the university. In addition to an exemplary breach response, the ANU provided a detailed breakdown of the intrusion, which is extremely helpful for network defenders.
We decided to map this intrusion to the Mitre ATT&CK framework, as we have done previously for:
This provides a useful lens for analyzing the attacker’s tradecraft and identifying which steps to take to prevent or detect this tradecraft.
The attackers were extremely disciplined and, despite having wide-ranging access to the target environment, they were solely focused on targeting one system: the Enterprise Systems Domain (ESD) system. According to the report, ESD is the “Enterprise Systems Domain, which houses our human resources, financial management, student administration and enterprise e-forms systems”. Typically in these intrusions, attackers are looking for data that can be easily monetized (in the case of cybercriminal intrusions) or data that can be used for intelligence or counterintelligence purposes (in espionage-related intrusions).
However, the ANU’s report stated:
Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken. However, our analysis has been able to establish that while the hackers had access to data up to 19-years-old, the hackers took much less than the 19 years’ worth of data we originally feared. We also knew the stolen data has not been further misused. Frustratingly this brings us no closer to the motivations of the actor.
The fact that the data has not been misused indicates the motive behind the theft was likely for intelligence purposes, rather than for criminal purposes.
Initial Access
The initial attack reportedly started on 9 Nov 2018, with a single spearphishing email. It was stated that there were at least four waves of spearphishing attacks the attackers carried out. The report includes the recovered spearphishing emails in Appendices A, B, and C. Defenders should study these phishing emails in detail, as they are well crafted and display a detailed knowledge of the target’s environment and what emails and email styles would be considered normal for that specific environment.
Spearphishing was, however, not the only technique used for Initial Access. The attackers used the valid credentials they recovered from the previous spearphishing attacks to login remotely to a web server and install a web-shell for further post-exploitation actions.
This is where we see some of the craftsmanship of the attacker. The report provided information on some of the emails and campaigns, and also provided redacted images of some of the emails sent by the attacker.
The quote below is another favorite of ours from the report. It demonstrates some of the level of understanding and resourcefulness of the attacker, showing similar tradecraft to other well-known APT groups.
The actor continues to look for credentials and tries to maximise the effectiveness of their spearphishing efforts by connecting to the University’s spam filer and attempting to disable its ability to detect malicious emails.
The following is an extract from the report’s appendix, showing the detail and effort put into the phishing emails.
To have their payload executed by their targets, the attackers used an “interaction-less” attack, according to the report:
Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.
The details provided in this extract initially may sound vague and unlikely. If we look back into the news in early 2018, we see the report of a vulnerability with these properties: CVE-2018-0950. This vulnerability would allow exactly this attack flow, where the preview pane within Outlook renders Rich Text Format (RTF) email messages that contain an object linking and embedding (OLE) object; this would then open a connection to a remote Server Message Block (SMB) server, allowing an attacker to acquire a password hash from the target user. This hash could then be cracked offline by the attacker.
This attack spans multiple techniques. It requires user interaction to open the email (but not the attachment), exploits the client-side application, and also performs forced authentication (see T1187 Forced Authentication below).
The report also stated:
Other software used by the actor included network session capture and mapping tools, bespoke clean-up, JavaScript and PowerShell scripts as well as a proxy tool.
This shows that the attackers are using a wide range of attack tools to maximize their effectiveness in the target environment.
The attackers installed and used a web-shell on the compromised web server, using the credentials from the first spearphish, to maintain access to the target environment. The attackers also used their access to a server to install a Windows XP and Kali Linux virtual machines, which they then used to attack other machines in the network. The attackers downloaded the images for the virtual machines via BitTorrent. This indicates a lack of outbound network filtering from the target environment.
Privilege Escalation occurred during the attack but no concrete techniques were presented in the report. However, the report states:
The senior user whose credentials were stolen was not a system administrator, so it is likely that a privilege escalation exploit was used to gain full control of the server.
According to the report,
The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor. In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities.
Defense Evasion was clearly a major part of the attackers’ tradecraft.
Another example from the report is:
The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.
It is worth noting how this operational security (OPSEC) was clearly built into the attacker’s tradecraft. Their’ standard operating procedures included OPSEC-aware procedures and these were consistently followed.
The report states:
The actor sent out four spearphishing emails, to ANU users, to try and gain credentials ie passwords, usernames, hashes. The aim of these emails was to gain the credentials of an administrator or someone with the right level of access to targeted systems. Actors also try to gain a broad set of credentials in case they expire, or compromised accounts are exposed. In the case of ANU, administrator credentials deliberately expire quickly. The other mechanism the actor used was software designed to “sniff” credentials from network traffic.
This quote indicates that the attackers were able to extract credentials from network traffic. It could be the case that credentials were sent in plaintext via FTP or HTTP or similar. Or the attackers could have used a tool like Responder to sniff Windows credentials as they travelled over the network.
Following a description of the initial attack vector, the report cited a timeline of 12−14 Nov 2018 for the next stage. This would have provided the attacker enough time to perform a brute-force cracking attack on any password hashes acquired during the first phase, and perform reconnaissance of the university’s Internet-facing infrastructure, looking for a platform for persistence and exfiltration.
Although the report does not detail exactly which Discovery techniques were used, given that the attackers compromised a wide variety of machines across a number of networks, they likely used a broad set of techniques to discover other systems. This assessment is supported by the report:
The actor also starts to map out machines in ESD and locates servers housing the databases underpinning ANU HR, finance, student administration and e-forms systems. Upon finding these databases the actor tries repeatedly, and unsuccessfully, to access these systems.
The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine.
The “age and permissiveness” is not something you should be able to use to describe systems within your network; however, you’ve got to give ANU credit for their honesty and openness throughout the entirety of the report.
Using these positions to operate various tools for network traffic interception, monitoring, and clean-up efforts, the attackers were able to maintain access and discover multiple resources and systems that some may consider to be high-value targets within the network.
During this Discovery period another “legacy” system was discovered, this time an operational mail server. The attackers reportedly used the server to send several messages to external recipients, with contents suspected of containing information related to their reconnaissance efforts, and other data of value.
The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike the University’s primary mail server, this legacy mail server requires no authentication. The emails sent out likely held data gained from the actor’s network mapping from the previous two days, as well as user and machine data.
The specific techniques used for lateral movement were not explicitly described but likely to be a combination of Windows and Linux remote-access technologies used with stolen credentials.
With any breach or assessment, lateral movement and persistence is an interesting area. There is a lot for the attacker to get right, from an OPSEC perspective, and depending on the environment it can take a lot of time and patience. From personal experience, sitting and watching packet captures and logs, waiting for something interesting and useful to appear, can be tedious.
The report detailed some of the effort the attackers went through to maintain their OPSEC and remain in stealth mode. That being said, it may only take one missed log to trip you up and expose your whole operation.
From the compromised school webserver, the actor was able to gain access to a legacy server hosting trial software. This server was scheduled for decommissioning in late 2019 and at the time of this report no longer active. Unfortunately, the server was attached to a virtual LAN with extensive access across the ANU network.
The quote above provides the first of multiple references to the word legacy. If you have been in the industry long enough, you will have commonly encountered this shamed word or “well matured” to describe these systems and services, tucked away in the deep dark corners of the network. They are often marked as out of scope in penetration tests and other assessments, for fear of the testing team breaking something that nobody in the organization knows how to fix or even knows the true purpose of anymore. The reference raises questions as to the true purpose of this asset. What type of system do you provide “extensive” access across your orgs networks? Sounds like an ideal vantage point.
The “legacy” server referenced in the quote was then reported to have been converted into an attack station to continue their journey into the network in search of untold treasures. This position also reportedly provided the attackers with access to perform remote management and clean-up tasks to help with their OPSEC obsessive-compulsive disorder.
On the flight path to the target, the attackers collected credentials to aid them in moving around the network. They attempted to collect them using the forced authentication technique described in the Credential Access section, through gathering plaintext credentials from local file systems or emails and by sniffing credentials on the network.
As the attackers neared their goal, they eventually found access to the ESD database.
The actor then accessed the administrative databases directly using a commercial tool. This tool allowed the actor to connect to several databases at once to search and extract records; and convert them to PDF format. The PDFs were then sent to the compromised school machine one for extraction from the ANU network.
This indicates how attackers are comfortable with Living off the Land―that is, using already installed or legitimate software tools to achieve their goals. In general, pre-existing or legitimate tools are less likely to raise suspicion than untrusted or unknown binaries in an environment.
The attackers were known to “conduct command and control (C2) operations through what is known as a TOR exit node” to hide the origin of their network traffic. This is one part of the broader OPSEC tradecraft exhibited by the attackers.
By using an anonymity network like Tor, it becomes much harder for network defenders to discern where an attack is originating from and also to block malicious IP addresses. This is because Tor exit nodes can be changed easily by the attacker and, also, there is a pre-existing pool of IP addresses the Tor network uses.
The report stated:
The actor used a variety of methods to extract stolen data or credentials from the ANU network. This was either via email or through other compromised Internet-facing machines.
Although the report did not detail exactly which network protocols were used to exfiltrate data from the environment, they likely used HTTPS for bulk transfer. Intriguingly, though, the attackers used email to send stolen credentials out of the network by using a legacy email server that was present in the environment:
This activity underlines the importance of trusting as little as possible inside the enterprise network and enforcing authentication even for local services.
In the section “Lessons from the attack and follow-up actions”, the ANU report gave an excellent breakdown of the issues and suggested mitigation. We recommend studying this table carefully. Additionally, the ANU stated:
Technical gaps aside, ANU ultimately views this breach and cybersecurity more broadly as an organisational issue, one which requires a change to the University’s security culture to adequately mitigate.
They go on to state that, in response to this breach, they will be establishing “a strategic information security program”. We fully agree that mitigating a threat of this type requires more than just point solutions, but rather a comprehensive approach that encompasses people and process, not just technology.
The ANU was attacked by persistent and skilled adversaries. Although their precise goals are currently unclear, they were determined to gain access to the ESD service operated by the university. The attackers were very OPSEC savvy and used a variety of techniques to hide their tracks, including deleting files and log files and using Tor for their C2 communications.
We would like to commend the ANU for their exemplary breach response, transparency, and honesty in admitting their own mistakes. We can all learn a lot from their example and are grateful for them taking the time and effort to release their report.
Want to detect sensitive data that’s been exposed by employees, contractors, or third parties? Learn how we can help you with data leakage detection here.