Threat Signal Report

Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks.

Description

The Australian Cyber Security Centre (ACSC) issued advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks. According to the advisory, this attack leverages multiple known vulnerabilities in Citrix Application Delivery Controller (CVE-2019-19781), Microsoft IIS (ACSC 2020-006), Microsoft SharePoint (CVE-2019-0604), and Progress Telerik UI (CVE-2019-18935). All IOC's were shared with FortiGuard Labs in advance of this advisory through trusted partnerships and Fortinet customers running the latest definitions were protected at the time of disclosure.


In a nutshell what is the attack specifically?

The ACSC advisory highlights state level threat actors using various tactics to ultimately compromise networks, specific businesses, governmental entities, and organizations in Australia. According to the advisory, the unnamed threat actor's modus operandi is to try and exploit known vulnerabilities in Citrix ADC (CVE-2019-19781), Progress Telerik UI (CVE-2019-18935), Microsoft IIS, and Microsoft Sharepoint (CVE-2019-0604). If unsuccessful, the attackers have been observed to initiating spearphishing attacks as an alternative attack vector. The spearphishing attack vectors observed were links to credential harvesting websites; links to malware or attached malware; links to Office365 OAuth tokens to the attacker, as well as other vectors identifying whether the email was opened. Malware tactics observed by ASCS were the usage of HTTPCore malware, malicious Word documents, PowerShell Empire, HTTPotato, webshells and a PowerShell reverse shell. Other observations made were the usage of open source tools and publicly available proof of concept code.


What were the specifics of the vulnerabilities mentioned in this advisory?

Citrix Application Delivery Controller ADC (CVE-2019-19781)

A vulnerability exists in the Citrix Application Delivery Controller (ADC) (also known as NetScaler ADC) and the Citrix Gateway (formerly known as NetScaler Gateway). if exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Microsoft IIS (No CVE assignment refer to ACSC-2020-006 in APPENDIX)

A de-serialization vulnerability exists in all versions of Microsoft's Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service's VIEWSTATE parameter to allow for remote code execution by unauthorized users.

Microsoft SharePoint (CVE-2019-0604)

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires a user to upload a specially crafted SharePoint application package to an affected version of SharePoint.

Progress Telerik UI (CVE-2019-18935)

ASP.NET AJAX through 2019.3.1023 contains a .NET de-serialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation of this vulnerability can result in remote code execution.


Are there reports of active exploitation in the wild and how serious is this?

It appears that this campaign is limited to Australia at this time. According to the ACSC it appears that this was a reconnaissance campaign made by the threat actors per this quote: "During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments."


Is there a patch available at this time for vulnerabilities mentioned?

For the affected CVEs mentioned in this advisory, vendors of the affected software have all already released patches. It is advised that organizations running affected software patch it as soon as possible.


Any other suggested mitigations?

All vendors of affected software mentioned in this advisory have provided patches for known vulnerabilities. If it is deemed that patching is not feasible at this time, it is recommended that a risk assessment be conducted to determine additional mitigation safeguards within an environment. Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.


What is the status of AV/IPS/WebFiltering coverage?

Fortinet customers running the latest AV definitions at the time of discovery were protected by the following signatures:

JS/TWOface.DA35!tr

W32/Kryptik.VLO!tr

Riskware/JuicyPotato

JS/Csharpaws.23D1!tr

VBA/Agent.2725!tr


Fortinet customers running the latest IPS definitions at the time of discovery were protected by the following signatures

China.Chopper.Web.Shell.Client.Connection


All network IOC's are actively blocked by the WebFiltering client.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.