Australia's cyber watchdog has issued a stark warning about a malicious campaign leveraging cryptocurrency mining exploits against local networks. The Australian Cyber Security Centre released its fin
Australia's cyber watchdog has issued a stark warning about a malicious campaign leveraging cryptocurrency mining exploits against local networks. The Australian Cyber Security Centre released its findings last week, detailing the tactics, techniques, and methods employed during an investigation into coordinated cyber-assaults targeting Australian organizations and government agencies. The government has confirmed its awareness of the sustained campaign and is actively working to formulate an appropriate response.
The investigation's comprehensive 48-page report laid out the specific vulnerabilities being targeted by operatives described as "state-level actors." The document specifically cautioned the Australian populace regarding crypto-jacking malware threats.
According to the report: "The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor."
The investigation identified four primary security vulnerabilities fueling the attacks. First, unpatched versions of Telerik UI containing a remote code execution flaw were being targeted, including the CVE-2019-18935 vulnerability. Microsoft Internet Information Services (IIS) presented a second avenue of attack. A third vulnerability emerged from a 2019 SharePoint weakness, while a 2019 Citrix flaw constituted the fourth major gap. In addition, spear-phishing campaigns have been documented as part of attackers' methodology.
The report provided insight into post-compromise operations: "Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials."
The Telerik vulnerability, particularly CVE-2019-18935, had been previously weaponized by the Blue Mockingbird hacking group to disseminate XMRRig, a program designed to commandeer computer resources for Monero mining operations. While the government's findings describe comparable methodology, this does not constitute proof that Blue Mockingbird participated in these particular coordinated operations.
PlugX represents one of the malware specimens highlighted in the Centre's investigation and features prominently in the arsenals of more than ten Chinese hacking collectives with suspected state backing. Escalating diplomatic friction between Australia and China—triggered by disputes surrounding the origins of the coronavirus pandemic—has led some Australian officials to posit that China may be responsible for these targeted operations.
Australian Prime Minister Scott Morrison addressed the situation: "We have some of the best agencies in the world … working on this and that means that they are putting all of their efforts into thwarting these attempts."
