Threat Actors Targeting Australian Organisations
NS BRAVO is suspected to be one of the Chinese cyber intelligence units tasked with stealing data of strategical importance from nations worldwide.
- Victims: NS BRAVO targets organisations that produce and hold intellectual property of strategic value to Australia. The targeted industries are many, and are ones which include finance/investment businesses, legal, technology, education, government, and health.
- Capabilities: Victims were compromised multiple times over several years. Removing NS BRAVO from the network once does not deter them. This adversary consistently demonstrated capabilities to use more advanced offensive tradecraft to maintain access into a target environment, develop new malware or adapt old ones to evade newly deployed security controls.
- Malware: NS BRAVO used malware and C&C domain names documented in the industry as belonging to state-sponsored Chinese APT groups.
It is possible to detect NS BRAVO using a combination of real-time endpoint detection software and retro-hunting.
APT TANGO uses common penetration testing and spear-phishing tools and techniques to obtain unauthorised access into the networks of its targets. Upon successful infiltration, the group will deploy several custom Windows and Linux attack toolkits. Amongst some of the capabilities identified by Mossé Security that are attributed to this group include:
- Windows kernel rootkits
- Windows and Linux userland malware
- Memory-only extension modules
- Code injection techniques
- Command and control via HTTPS with an additional layer of AES encryption
- Defence evasion: code signing, living off the land, software packing, and encryption
The origin and motivations of this threat actor are unknown. We have confirmed that APT TANGO steals intellectual property and business documents as well as emails.
Known industries targeted by APT TANGO include: education, finance, technology and transport.
It is possible to detect this adversary using a combination of real-time endpoint detection software, memory forensics and retro-hunting.
CRIME OSCAR is a financially motivated threat actor that targets the finance departments of organisations in the construction, mining, and utility industries. Mossé Security has responded to breaches where this actor has attempted to defraud companies in ranges between $50,000 and 2M.
This actor uses phishing to steal the network credentials of employees, accesses their emails via OWA, Google Suite or Office 365, and then identifies upcoming payments that the organisation will process in the next 30-60 days.
Once one or several internal invoices have been identified, CRIME OSCAR edits the PDF files to change the bank account details where payments must be made and uses social engineering to deceive the finance department into processing the new invoices that have been tampered with.
Anti-virus software, endpoint detection and response software, and firewall devices are ineffective at defending against CRIME OSCAR.
Organisations particularly vulnerable to CRIME OSCAR all had the following in common:
- Employees in the finance department did not employ two-factor authentication to protect their corporate user accounts
- Business executives underestimated cyber risks and never thought it possible that a financially motivated cyber adversary would target their organisation
It is possible to detect accounts compromised by CRIME OSCAR by looking for signs of proxy hopping in the access and audit logs of externally-facing email systems.
CRIME CHARLIE is a financially-motivated adversary that uses phishing to steal credentials and resell the information on the Dark Market. This attacker uses automated tools and does not care about being detected.
The greatest concerns that Australian organisations should have about this threat actor are:
- CRIME CHARLIE's tools download and steal all the emails of employees that fall victim to its phishing scheme. In some cases, this causes a significant breach of privacy and legal obligation to notify affected individuals that have had their data stolen.
- The adversary will use compromised email accounts to target all the third party organisations in your global contact list to try and compromise them as well. This causes damages to reputation, embarrassments, and can subsequently lead to financial losses.
- Stolen credentials that are not rapidly reset are likely to be purchased by another threat actors on the Dark Market and used by them to obtain unauthorised access into your IT environment.
It is possible to deter CRIME CHARLIE by enabling two-factor authentication enterprise-wide.
Business executives of small and medium sized firms all over Australia are being targeted by sophisticated social engineers that attempt to defraud them with fake invoices.
Mossé Security responded to multiple breaches where FRAUDSTERS-1 had defrauded companies in the range of $25,000 to $135,000 AUD.
FRAUDSTERS-1 compromises the email servers of business advisory companies located outside of Australia and uses their domain names to send emails to Chief Financial Officers (CFOs) pretending to be the Chief Executive Officer (CEO).
The English language and grammar in their emails is flawless, and they employ numerous social engineering techniques such as calibrated questions, “no” questions, labels, and pretexting. Any successful attack results in deceiving the CFO into wiring funds to money-mules located in South East Asian countries such as Malaysia, Hong Kong and Vietnam.
Cyber security is about taking action. Contact us now.