19th of June 2020: A brief analysis on the “cyber attack” and its artefacts

Earlier this morning The Prime Minister of Australia announced that Australia is currently being targeted with a massive cyber attack by a sophisticated foreign “state-based” hacker.

The ACSC released the indicators of compromise that can be employed by a security operations centre (SOC) or internal IT team to defend against as well as query historical data and evaluate if they’ve been affected. The data is also useful for understanding the tactics, techniques and procedures employed by the threat actor. I wanted to spend a free half hour over lunch diving into what we can deduct.

The domains used

two domains were employed as part of this attack:

1. mailguardonline.net
2. cybersecuritiesinc.net

Both of these appear to be associated with phishing URLs looking to retrieve credentials from target users, no doubt sent from one of the 12 email addresses provided. cybersecuritiesinc.net was created on the 25th of March of this year, and mailguardonline.net on the 26th of April. This is a little unusual in that the domains were put to immediate use and not left dormant to build up operational security. It was also interesting to note that cybersecuritiesinc.net actually formed multiple additional host names beyond what was provided including:

1. login.my.cybersecuritiesinc.net
2. www.my.cybersecuritiesinc.net
3. outlook.test.cybersecuritiesinc.net
4. outlook.my.cybersecuritiesinc.net
5. login.contact.cybersecuritiesinc.net

The IP addresses

The indicators of compromise also detailed 34 IP addresses which are a mix of VPNs, digital ocean hosting and compromised hosts… will dive into these a little more over the weekend.

Files

16 files were also provided however its interesting to note that at least two of these were well known files that would have been readily detected. Additionally a file from dropbox, referencing a thesis, is still accessible but also that the word thesis was mentioned… is academia part of the target list? I would also recommend adding file to the IOC list (MD5: bd105eb1715bfcc288b0439f0e889ac7, SHA256: 2b71dd245520d9eb5f1e4c633fee61c7d83687591d9f64f9390c26dc95057c3c)

Prior detection, submission and events overseas

Its been curious to query databases available on the associated information only to note that not only are several files readily identifiable but that the data on these attacks was being submitted and queried at least a month ago. Of note, it appears the phishing URLs were scanned from the United States, Israel and India several weeks ago with no data stemming from them. This gives us two indications:

1. The phishing emails would have been a hit and run, with the sites “taken down” subsequent to the event as the sites were not added to any of the reporting pages.
2. It is likely Australia was not the only target of this attack given other countries were querying these URLs over a month ago.

Summary for now

Right now this does not necessarily appear to be overly complex from a technical standpoint and would be achievable to execute.

I’ll probably spend a small portion of the weekend diving into things a little further, but the reality is this doesn’t appear to be anything new and fancy (or at least not yet).