Squiz's response to the Australian Prime Minister's warning of cyber attacks
On Friday 19th June 2020, Australia’s Prime Minister held a press conference where he warned Australians of a massive cyber attack by a “sophisticated, state-based cyber actor... targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.”
In summary, the attacks cannot be used to compromise Squiz-hosted systems because they are targeted at an entirely different software stack. Nevertheless, Squiz has actively blocked all known IPs being used by the attacker and continues to monitor for any anomalous activity from these or any other IP addresses.
Squiz reaffirms the Australian Cyber Security Centre (ACSC) warnings concerning spear phishing, and strongly advises clients to ensure that all staff are trained in safe email practices and malicious email identification.
Further, Squiz has examined the advisory produced by the ACSC, and would like to make the following points regarding the attack and Squiz’s security posture:
1. Observed attacks are against a Windows-specific library (Telerik UI, exploiting CVE-2019-18935), a VIEWSTATE deserialisation vulnerability in Microsoft IIS, Microsoft SharePoint (exploiting CVE-2019-0604), and Citrix devices (exploiting CVE-2019-19781).
None of these technologies are used within Squiz, either for the delivery of services to customers or for internal purposes.
2. The tactics, techniques, and procedures (TTPs) used by the attacker to exploit and gain persistence on servers are focused on a Microsoft Windows ecosystem. None of the identified Execution techniques can work on systems used by Squiz to deliver services to customers.
3. All of the web shells identified are based on systems running ASP on Microsoft Windows Internet Information Services (IIS). Systems used by Squiz to deliver services to customers do not support the execution of ASP, nor do they use IIS. These web shells would not function on Squiz systems.
4. Squiz has proactively blocked access to identified attacker IPs at our border firewalls. While there is no indication that the attacker has the tactics, techniques or procedures to compromise a Squiz-hosted system, Squiz has configured our border firewalls to block any traffic at all originating at any of the IPs identified by the ACSC in their published indicators of compromise.
Squiz is proud of its strong record of maintaining secure systems for our clients and continues to make every effort to ensure that security going forward.
For more information, please contact your Account Manager or log a ticket in MySquiz.