According to the Australian government, the country’s networks came under attack recently. The security advisory states one of the vulnerabilities exploited by hackers is linked to cryptojacking malware attacks. As per the government agency, a group of “state actors” targeted Australian networks on June 19. While hackers managed to exploit four critical vulnerabilities in Telerik UI, one vulnerability CVE-2019-18935 is a particularly interesting exploit that poses even greater risks.
Corporate networks targetted with crypto-jacking malware
The nature of this attack clearly reveals hackers’ intention to install crypto-mining software within corporate networks. However, there is no way to know at the moment if hackers could successfully infect computers on corporate networks by somehow planting cryptojacking malware.
Aiming to install a Monero (XMR) mining software XMRig on a series of computers, recently, some threat actors had also exploited the vulnerability in Telerik UI to their advantage. Last month, a similar incident came to a light where a crypto-jacking malware infected more than a thousand enterprise computer systems by installing a Monero mining application since at least December 2019. Behind this attack was the Blue Mockingbird malware gang.
In its security advisory, the Australian Cyber Security Centre (ACSC) had this to say:
“All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.”
The widespread exploitation of CVE-2019-18935 was used to achieve arbitrary code execution on vulnerable systems, according to the Australian government. Hackers used copies of public proof of concept exploit code as a payload. These copies were used for a sleep test and reverse shell binary Other exploit payloads included one that attempted to execute a PowerShell reverse shell, in addition to one that attempted to execute certutil.exe to download another payload.
“A payload that executed binary malware (identified in this advisory as HTTPCore) previously uploaded by the actor but which had no persistence mechanism; A payload that enumerated the absolute path of the web root and wrote that path to a file within the web root.”
Possibly, Chinese hackers could be behind this attack as the government has discovered the involvement of the PlugX malware, which has been around for more than a decade. PlugX is a common espionage tool preferred by most Chinese groups, the ones that allegedly have connections with the Chinese government.
Some Australian officials have reportedly pointed fingers at China, blaming them for the massive cyberattack. However, China has denied its involvement.