Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks

 Overview

The Australian Cyber Security Centre (ACSC) investigated and responded to numerous cyber security incidents during 2019 and 2020 so far. This advisory provides a summary of notable tactics, techniques and procedures (TTPs) exploited by Advanced Persistent Threats (APT) and cybercriminals identified during the ACSC’s investigations. These TTPs are summarised practically in the framework of tactics and techniques provided by MITRE ATT&CK1. This technical guidance is provided for IT security professionals at public and private sector organisations.

Recommended mitigations

Partners are strongly encouraged to review their environments for the presence of the exploited vulnerabilities and provided TTPs. Detection of related findings should be reported to the ACSC.

The ACSC strongly recommends implementing ASD’s Essential Eight2. A review of investigations performed by the ACSC has shown that implementation of ASD’s Essential Eight on victim networks would substantially reduce the risk of compromise by the adversary TTPs identified in this advisory.

Detection

This advisory provides information on methods to detect many of the TTPs listed. Additional detailed information on detection for each TTP is available at the associated MITRE ATT&CK link provided. Network owners who discover evidence of the TTPs from this advisory on their systems should contact the ACSC via email at [email protected] to report their findings and for further advice.

Initial access

The following section covers TTPs related to gaining initial access to vulnerable systems identified during ACSC investigations.

T1190 – Exploit Public-Facing Application

Abuse of file upload functionality

The ACSC has identified legitimate file upload functions on web applications being used to upload malicious files such as web shells to web servers that do not enforce stringent file upload restrictions. Malicious files uploaded to web applications, such as web shells, can allow an actor remote unauthorised access to the web server. This provides the actor with an entry point to conduct further malicious activity.

Network owners should analyse web server file upload locations for web shells3 and other malicious files. They should also investigate web logs for signs of malicious activity.

Download the file to find out more.