Security Market Segment LS
Friday, 19 June 2020 10:20

Attackers used unpatched flaws in Telerik UI, Microsoft software and Citrix: ACSC Featured

Attackers used unpatched flaws in Telerik UI, Microsoft software and Citrix: ACSC Pixabay

The state-based actor behind an attack on Australian public and private sector organisations used unpatched vulnerabilities in Telerik UI, Microsoft's Internet Information Services, SharePoint and Citrix to try and gain access, the Australian Cyber Security Centre says.

But the ACSC said it had not identified any intent by the actor "to carry out any disruptive or destructive activities within victim environments".

In a detailed statement last updated on Thursday well before Prime Minister Scott Morrison and Defence Minister Linda Reynolds addressed the media in Canberra, the ACSC said among the initial access vectors, the most common one used was a bid to exploit public-facing infrastructure.

This was "primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI".

"Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability," the agency said.

The attackers had shown agility in leveraging proof-of-concept exploit code that was already public in the search for vulnerable points of entry.

Also displayed was an ability to identify development, test and orphaned services that were not maintained by the organisations that were hacked.

"When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques," the agency said.

"This spearphishing has taken the form of:

  • links to credential harvesting websites;
  • emails with links to malicious files, or with the malicious file directly attached;
  • links prompting users to grant Office 365 OAuth tokens to the actor; and
  • use of email tracking services to identify the email opening and lure click-through events.

According to Wikipedia, "Telerik AD is a Bulgarian company offering software tools for web, mobile, desktop application development, tools and subscription services for cross-platform application development. Founded in 2002 as a company focused on.NET development tools, Telerik now also sells a platform for web, hybrid and native app development".

The ACSC said once initial access was achieved, the actor used both open source and custom tools to persist on, and interact with, the victim network.

"Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed," the centre said.

"In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations."


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.


talentCRU FREE WEBINAR INVITE - Cybersecurity in COVID-19 times and beyond

With the mass transition to remote working, our businesses are becoming highly dependent on the Internet.

So, it’s no surprise that we’ve seen an increase in cyberattacks.

However, what’s more concerning is that just 51% of technology professionals are highly confident that their cybersecurity teams are able to detect and respond to these threats.

Join us for this free online roundtable where our experts discuss key cybersecurity issues IT leaders are facing during the pandemic, and the challenges that will likely emerge in the coming years.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments