Go Back

ANU Breach Report: Mapping to Mitre ATT&CK Framework

October 11, 2019
ANU Breach Report: Mapping to Mitre ATT&CK Framework

Introduction

This week, the Australian National University (ANU) published a report on an intrusion into their networks that occurred in 2019. Whilst the attackers had access to data from the university going back 19 years, the ANU report that they cannot accurately ascertain specifically which data was taken. What they do know however is that the attackers were targeting a system which stored the Personally Identifiable Information (PII) and commercial information for the university. In addition to an exemplary breach response, the ANU provided a detailed breakdown of the intrusion, which is extremely helpful for network defenders.

We decided to map this intrusion to the Mitre ATT&CK framework, as we have done previously for:

This provides a useful lens for analyzing the attacker’s tradecraft and identifying which steps to take to prevent or detect this tradecraft.

 

Attacker goals

The attackers were extremely disciplined and, despite having wide-ranging access to the target environment, they were solely focused on targeting one system: the Enterprise Systems Domain (ESD) system. According to the report, ESD is the “Enterprise Systems Domain, which houses our human resources, financial management, student administration and enterprise e-forms systems”. Typically in these intrusions, attackers are looking for data that can be easily monetized (in the case of cybercriminal intrusions) or data that can be used for intelligence or counterintelligence purposes (in espionage-related intrusions). 

However, the ANU’s report stated: 

Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken. However, our analysis has been able to establish that while the hackers had access to data up to 19-years-old, the hackers took much less than the 19 years’ worth of data we originally feared. We also knew the stolen data has not been further misused. Frustratingly this brings us no closer to the motivations of the actor. 

The fact that the data has not been misused indicates the motive behind the theft was likely for intelligence purposes, rather than for criminal purposes.

 

Mitre ATT&CK mappings

Initial Access 

  • T1193 Spearphishing Attachment
  • T1078 Valid Accounts

The initial attack reportedly started on 9 Nov 2018, with a single spearphishing email. It was stated that there were at least four waves of spearphishing attacks the attackers carried out. The report includes the recovered spearphishing emails in Appendices A, B, and C. Defenders should study these phishing emails in detail, as they are well crafted and display a detailed knowledge of the target’s environment and what emails and email styles would be considered normal for that specific environment.

Spearphishing was, however, not the only technique used for Initial Access. The attackers used the valid credentials they recovered from the previous spearphishing attacks to login remotely to a web server and install a web-shell for further post-exploitation actions.

This is where we see some of the craftsmanship of the attacker. The report provided information on some of the emails and campaigns, and also provided redacted images of some of the emails sent by the attacker.

The quote below is another favorite of ours from the report. It demonstrates some of the level of understanding and resourcefulness of the attacker, showing similar tradecraft to other well-known APT groups.

The actor continues to look for credentials and tries to maximise the effectiveness of their spearphishing efforts by connecting to the University’s spam filer and attempting to disable its ability to detect malicious emails.

The following is an extract from the report’s appendix, showing the detail and effort put into the phishing emails.

ANU breach report

 

Execution

  • T1204 User Execution
  • T1203 Exploitation for Client Execution
  • T1086 PowerShell
  • T1059 Command-Line Execution

To have their payload executed by their targets, the attackers used an “interaction-less” attack, according to the report: 

Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.

The details provided in this extract initially may sound vague and unlikely. If we look back into the news in early 2018, we see the report of a vulnerability with these properties: CVE-2018-0950. This vulnerability would allow exactly this attack flow, where the preview pane within Outlook renders Rich Text Format (RTF) email messages that contain an object linking and embedding (OLE) object; this would then open a connection to a remote Server Message Block (SMB) server, allowing an attacker to acquire a password hash from the target user. This hash could then be cracked offline by the attacker. 

This attack spans multiple techniques. It requires user interaction to open the email (but not the attachment), exploits the client-side application, and also performs forced authentication (see T1187 Forced Authentication below).

 

The report also stated: 

Other software used by the actor included network session capture and mapping tools, bespoke clean-up, JavaScript and PowerShell scripts as well as a proxy tool.

This shows that the attackers are using a wide range of attack tools to maximize their effectiveness in the target environment.

 

Persistence

  • T1100 Web-shell
  • T1062 Hypervisor

The attackers installed and used a web-shell on the compromised web server, using the credentials from the first spearphish, to maintain access to the target environment. The attackers also used their access to a server to install a Windows XP and Kali Linux virtual machines, which they then used to attack other machines in the network. The attackers downloaded the images for the virtual machines via BitTorrent. This indicates a lack of outbound network filtering from the target environment.

 

Privilege Escalation

Privilege Escalation occurred during the attack but no concrete techniques were presented in the report. However, the report states: 

The senior user whose credentials were stolen was not a system administrator, so it is likely that a privilege escalation exploit was used to gain full control of the server.

 

Defense Evasion

  • T1146 Clear Command History
  • T1107 File Deletion
  • T1070 Indicator Removal on Host
  • T1064 Scripting
  • T1078 Valid Accounts
  • T1221 Template Injection
    • Used in conjunction with the forced auth technique

According to the report, 

The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor. In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities.

Defense Evasion was clearly a major part of the attackers’ tradecraft. 

 

Another example from the report is: 

The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.

It is worth noting how this operational security (OPSEC)  was clearly built into the attacker’s tradecraft. Their’ standard operating procedures included OPSEC-aware procedures and these were consistently followed.

 

Credential Access

  • T1187 Forced Authentication
  • T1040 Network Sniffing

The report states: 

The actor sent out four spearphishing emails, to ANU users, to try and gain credentials ie passwords, usernames, hashes. The aim of these emails was to gain the credentials of an administrator or someone with the right level of access to targeted systems. Actors also try to gain a broad set of credentials in case they expire, or compromised accounts are exposed. In the case of ANU, administrator credentials deliberately expire quickly. The other mechanism the actor used was software designed to “sniff” credentials from network traffic.

This quote indicates that the attackers were able to extract credentials from network traffic. It could be the case that credentials were sent in plaintext via FTP or HTTP or similar. Or the attackers could have used a tool like Responder to sniff Windows credentials as they travelled over the network.

 

Discovery

  • T1083 File and Directory Discovery
  • T1046 Network Service Scanning
  • T1135 Network Share Discovery
  • T1040 Network Sniffing
  • T1018 Remote System Discovery
  • T1016 System Network Configuration Discovery
  • T1049 System Network Connections Discovery
  • T1033 System Owner/User Discovery
  • T1007 System Service Discovery

Following a description of the initial attack vector, the report cited a timeline of 12−14 Nov 2018 for the next stage. This would have provided the attacker enough time to perform a brute-force cracking attack on any password hashes acquired during the first phase, and perform reconnaissance of the university’s Internet-facing infrastructure, looking for a platform for persistence and exfiltration.

Although the report does not detail exactly which Discovery techniques were used, given that the attackers compromised a wide variety of machines across a number of networks, they likely used a broad set of techniques to discover other systems. This assessment is supported by the report: 

The actor also starts to map out machines in ESD and locates servers housing the databases underpinning ANU HR, finance, student administration and e-forms systems. Upon finding these databases the actor tries repeatedly, and unsuccessfully, to access these systems.

The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine.

The “age and permissiveness” is not something you should be able to use to describe systems within your network; however, you’ve got to give ANU credit for their honesty and openness throughout the entirety of the report.

Using these positions to operate various tools for network traffic interception, monitoring, and clean-up efforts, the attackers were able to maintain access and discover multiple resources and systems that some may consider to be high-value targets within the network.

During this Discovery period another “legacy” system was discovered, this time an operational mail server. The attackers reportedly used the server to send several messages to external recipients, with contents suspected of containing information related to their reconnaissance efforts, and other data of value.

The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike the University’s primary mail server, this legacy mail server requires no authentication. The emails sent out likely held data gained from the actor’s network mapping from the previous two days, as well as user and machine data.

 

Lateral Movement

The specific techniques used for lateral movement were not explicitly described but likely to be a combination of Windows and Linux remote-access technologies used with stolen credentials.

With any breach or assessment, lateral movement and persistence is an interesting area. There is a lot for the attacker to get right, from an OPSEC perspective, and depending on the environment it can take a lot of time and patience. From personal experience, sitting and watching packet captures and logs, waiting for something interesting and useful to appear, can be tedious.  

The report detailed some of the effort the attackers went through to maintain their OPSEC and remain in stealth mode. That being said, it may only take one missed log to trip you up and expose your whole operation.

From the compromised school webserver, the actor was able to gain access to a legacy server hosting trial software. This server was scheduled for decommissioning in late 2019 and at the time of this report no longer active. Unfortunately, the server was attached to a virtual LAN with extensive access across the ANU network.

The quote above provides the first of multiple references to the word legacy. If you have been in the industry long enough, you will have commonly encountered this shamed word or “well matured” to describe these systems and services, tucked away in the deep dark corners of the network. They are often marked as out of scope in penetration tests and other assessments, for fear of the testing team breaking something that nobody in the organization knows how to fix or even knows the true purpose of anymore. The reference raises questions as to the true purpose of this asset. What type of system do you provide “extensive” access across your orgs networks? Sounds like an ideal vantage point. 

The “legacy” server referenced in the quote was then reported to have been converted into an attack station to continue their journey into the network in search of untold treasures. This position also reportedly provided the attackers with access to perform remote management and clean-up tasks to help with their OPSEC obsessive-compulsive disorder. 

 

Collection

  • T1213 Data from Information Repositories
  • T1005 Data from Local System
  • T1074 Data Staged
  • T1114 Email Collection
  • T1039 Data from Network Shared Drive

On the flight path to the target, the attackers collected credentials to aid them in moving around the network. They attempted to collect them using the forced authentication technique described in the Credential Access section, through gathering plaintext credentials from local file systems or emails and by sniffing credentials on the network.

As the attackers neared their goal, they eventually found access to the ESD database.

The actor then accessed the administrative databases directly using a commercial tool. This tool allowed the actor to connect to several databases at once to search and extract records; and convert them to PDF format. The PDFs were then sent to the compromised school machine one for extraction from the ANU network.

This indicates how attackers are comfortable with Living off the Land―that is, using already installed or legitimate software tools to achieve their goals. In general, pre-existing or legitimate tools are less likely to raise suspicion than untrusted or unknown binaries in an environment.

 

C2

  • T1188 Multi-hop Proxy

The attackers were known to “conduct command and control (C2) operations through what is known as a TOR exit node” to hide the origin of their network traffic. This is one part of the broader OPSEC tradecraft exhibited by the attackers. 

By using an anonymity network like Tor, it becomes much harder for network defenders to discern where an attack is originating from and also to block malicious IP addresses. This is because Tor exit nodes can be changed easily by the attacker and, also, there is a pre-existing pool of IP addresses the Tor network uses.

 

Exfiltration

  • T1002 Data Compressed
  • T1022 Data Encrypted
  • T1048 Exfiltration Over Alternative Protocol
    • Email

The report stated: 

The actor used a variety of methods to extract stolen data or credentials from the ANU network. This was either via email or through other compromised Internet-facing machines.

Although the report did not detail exactly which network protocols were used to exfiltrate data from the environment, they likely used HTTPS for bulk transfer. Intriguingly, though, the attackers used email to send stolen credentials out of the network by using a legacy email server that was present in the environment: 

The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike the University’s primary mail server, this legacy mail server requires no authentication. The emails sent out likely held data gained from the actor’s network mapping from the previous two days, as well as user and machine data

This activity underlines the importance of trusting as little as possible inside the enterprise network and enforcing authentication even for local services. 

 

Mitigation

In the section “Lessons from the attack and follow-up actions”, the ANU report gave an excellent breakdown of the issues and suggested mitigation. We recommend studying this table carefully. Additionally, the ANU stated: 

Technical gaps aside, ANU ultimately views this breach and cybersecurity more broadly as an organisational issue, one which requires a change to the University’s security culture to adequately mitigate.

They go on to state that, in response to this breach, they will be establishing “a strategic information security program”. We fully agree that mitigating a threat of this type requires more than just point solutions, but rather a comprehensive approach that encompasses people and process, not just technology.

 

Conclusions

The ANU was attacked by persistent and skilled adversaries. Although their precise goals are currently unclear, they were determined to gain access to the ESD service operated by the university. The attackers were very OPSEC savvy and used a variety of techniques to hide their tracks, including deleting files and log files and using Tor for their C2 communications. 

We would like to commend the ANU for their exemplary breach response, transparency, and honesty in admitting their own mistakes. We can all learn a lot from their example and are grateful for them taking the time and effort to release their report.

 

Want to detect sensitive data that’s been exposed by employees, contractors, or third parties? Learn how we can help you with data leakage detection here