Today, we released a Joint Cybersecurity Advisory with international partners about a People’s Republic of China (PRC) state-sponsored cyber group, APT40, and the current threat it poses to Australian networks. APT40 is conducting regular reconnaissance against networks of interest in Australia looking for opportunities to compromise its targets. The group uses compromised infrastructure, including small-office/home-office (SOHO) devices as operational infrastructure, to launch attacks that blend in with legitimate traffic, challenging network defenders. This regular reconnaissance allows them to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities due to systems being unpatched. We strongly recommend implementing the ASD Essential Eight mitigation strategies, as well as additional relevant mitigations from our Strategies to Mitigate Cyber Security Incidents guidance. Mitigation that can reduce the effectiveness of the activity includes: • Logging and detection – maintaining comprehensive and historical logging information across web servers, window events and internet proxy • Patch management – implement a centralised patch management system to automate and expedite the patch process. • Network segmentation – segments networks to limit or block lateral movement by denying traffic between computers unless required. To read the advisory and learn more about how to identify, prevent and remediate APT40 intrusions, visit https://lnkd.in/g8YnRnG6. This advisory has been jointly issued by Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation (FBI), National Cyber Security Centre (UK), Communications Security Establishment Canada | Centre de la sécurité des télécommunications Canada, National Cyber Security Centre (NZ), Bundesnachrichtendienst (BND), Bundesamt für Verfassungsschutz (BfV), National Center of Incident Readiness and Strategy for Cybersecurity + National Police Agency (Japan), and National Intelligence Service + National Cyber Security Center (Korea).
Beyond time we built a firewall at the international link level and sinkhole these scans from overseas, full stop.
I know this is old but this widespread abuse of SOHO devices wont stop until AU parliament enacts an equivalent to the UK's Product Security and Telecommunications Infrastructure Act ... giving legislative "teeth" to other departments will lighten ASD's load when having to deal with SOHO vendors who fail to reveal they sell unpatched or unpatchable firmware at retail level out of the box.
Good to make people aware of this and that they blend in with normal internet traffic and target lazy, low hanging exploits. This is easily resolved through a proactive approach to patching and network maintenance along with deep observability tools like Gigamon that combine with existing security (SOC and SIEM/ XDR) functionalities. This approach manages more complex attack vectors too.
Sound advice from the Australian Signals Directorate highlighting strategies that can reduce the effectiveness of nation state threat actors to organisations… note advice on logging and detection and maintaining “historical logging for web servers, windows events and proxy’s” … Thanks to Australian Signals Directorate National Cyber Security Centre and partners for your vigilance, helping make us all safer online and proactive guidance #informationsecurity #cybersecurity #logrhythm #exabeam
As important as implementing the ASD Essential Eight is, we also need to consider the soft under-belly, too. Far too little attention is given to the outer shell, but we need to give at least as much attention to ensuring that the people aspect is also under the spotlight. E8 does a great job of reducing the avenues of attack, but the human element is still a risk
Operational infrastructure - Segmentation, patching and monitoring - let’s get it done!
Driven to protect. OceanHydro, CryptoPhoto, and others.
3w@ASD - when a misconfiguration in their bot gave me unlimited root access to their entire network of bots and compromised Australian devices (and 20,000 new ones per day) - and I requested your permission to implement a patch that blocked this attack from spreading (see email subject "RE: Open botnet - what should I do ? [SEC=UNCLASSIFIED]" on 29 Feb 2020) - let me remind you what you told me: You told me to leave the attack to spread, because if I took action to prevent it, I would be breaking the law. I hope you learn from your mistake - for which all Australians are now paying the price. You need to engage common sense when dealing with crime - if a member of the public offers to help you stop of fix something, TAKE THEM UP ON IT and provide all possible assistance to make that legitimate. Don't just be "stupid" about it. And - for the record - when are you ever going to fix the BOM? There is an actual rule that both government departments, and also providers of hosting service to them, all use TLS security, and yet the BOM just totally refuses to comply with your advice and gets away with if indefinitely. Pull your finger out and get your own house (the Government) in order. Non-TLS .gov TLDs put the public at risk.