The Australian Cyber Security Centre today revealed details of its investigation into the compromise of at least eight local web hosting providers.
The ACSC has published a report detailing its May 2018 investigation, which it dubbed ‘Operation Manic Menagerie’. The hosting providers were compromised by a previously variant of the ‘Gh0st’ remote access tool (RAT), the report revealed.
There was evidence that the hacker employed two of the hosts to mine the Monero cryptocurrency. He or she also exploited hosted websites to boost SEO rankings or redirect web traffic to. In one case, if a browser’s user agent indicates that an individual understood a Chinese language, then they would be redirected to a different, ad-heavy site.
“The access was exclusively used to conduct criminal activity on the network and customer websites, using the reputation of these legitimate sites to add validity to their activities,” said the head of the ACSC, Alastair MacGibbon.
“Australia is the first country to identify and engage with victims about this activity. While the methods used are not new or sophisticated the use of them in the manner described in this report, and the victims they target, make this a significant achievement."
“The actor favoured techniques such as web shells to gain initial access, exploiting vulnerable web applications to upload the web shells,” the ACSC investigation report states.
“The actor rarely required privilege escalation but demonstrated the capability and persistence to escalate privilege when necessary.”
Privilege escalation relied on public proof of concepts, and the ACSC said the hacker “demonstrated an ability to quickly use new POC exploits.”
“Persistence techniques varied across incidents, showing a capability to modify tools to suit the compromised environment,” the report added.
“This cyber-criminal activity was detected by the ACSC working with a diverse range of information sources, including industry, government departments, law enforcement and information security bodies (both domestic and international),” MacGibbon said.
“While we will not be identifying the web hosting providers, it is important to note that all affected web hosting providers were advised to take remediation actions and we commend them for working collaboratively with us to achieve such success.”
The ACSC report, which is available online (PDF), includes a range of recommendations for hosting providers and their customers, including rolling out application and OS patches, and not running web services with administrative privileges.
The centre recommends businesses employ the ‘Essential Eight’ list of mitigation strategies published by the Australian Signals Directorate.