Investigation into Breached Australian Organizations

Executive Summary

• In mid-March, two Australian financial and professional services firms reported data breaches.
• The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team investigated these incidents using SecurityScorecard’s products, Attack Surface Intelligence data, exclusive access to network flow (NetFlow) data, and publicly-available information.
• The available data suggests possible suspicious activity on both organizations’ networks.
• While this data does not offer conclusive information into the origins of the reported breaches, it suggests that attackers may have initially used phishing to compromise employee credentials. Some traffic may further suggest the reuse of these credentials.

Background

In mid-March, two Australian financial and professional services firms reported data breaches. These were followed by a series of cyber incidents affecting large Australian firms throughout 2022 and early 2023. As a result, some reporting on the incidents presented them as indications of systematic shortcomings in the country’s cyber defenses.

The affected financial services organization reported that threat actors were able to steal data by first compromising an employee’s credentials and then using them to access two service providers’ resources containing the customer data the attackers stole. This firm subsequently amended its initial estimate of the breach’s scope to disclose that it exposed fourteen million individuals’ private information. It further noted that the threat actor group claiming responsibility for the incident had attempted to hold the stolen data for ransom, but did not name the group in question.

Meanwhile, the other affected firm reported that its breach originated with a subsidiary, from which an unauthorized party accessed the firm’s document management system.

Methodology

Using access to network flow (NetFlow) data furnished by a strategic partner, SecurityScorecard’s STRIKE Team researchers sampled the traffic that occurred over roughly one month leading up to the breach disclosures and involved a group of IP addresses that SecurityScorecard’s ratings platform attributes to the affected organizations. Researchers selected those IP addresses where SecurityScorecard has observed issues, as these findings indicate that the assets they affect could be particularly vulnerable to malicious activity.

To identify which IP addresses within the traffic sample may merit further investigation, researchers first uploaded the IP addresses appearing in them to SecurityScorecard’s internal threat intelligence platform (TIP). This platform contains data from traffic samples collected during previous investigations into reported breaches, suspected ransomware attacks, disruptive events, and other cyber incidents. IP addresses appearing in multiple events’ traffic samples may be related to threat activity.

The STRIKE Team next filtered the traffic sample’s contents by byte count, isolating its largest data transfers. Large data transfers can represent exfiltration, so threat actors could have used the IP addresses receiving these transfers while stealing data from the affected organizations. Researchers then narrowed these results further by searching for the IP addresses in the public cybersecurity information-sharing platform VirusTotal, focusing on those addresses other cybersecurity vendors have already linked to malicious activity.

Having compiled a list of IP addresses worthy of closer attention, researchers returned to the original traffic samples to collect additional information about these IP addresses’ behavior in relation to the target organization and within the specific monitoring period. Then, they searched these IP addresses in SecurityScorecard’s Attack Surface Intelligence product and VirusTotal for additional context.

Finally, researchers looked for files containing the domains of the affected companies, including that of the subsidiary from which one of the breaches originated. Such files can offer insights into threat actors’ attempts to target the organizations whose domains they contain.

Findings: Communication with IP Addresses Appearing in SecurityScorecard’s Internal TIP

292 IP addresses from the affected organizations’ traffic samples have previously appeared in SecurityScorecard’s internal TIP. Of these, the vendors that contribute detections to VirusTotal have already deemed 127 malicious. In most cases, the behavior reflected within the traffic samples resembles low-level probing or scanning rather than activity related to the reported breaches; the strategic partner furnishing the NetFlow data has identified many of them as scanners and many others only briefly communicated with the target IP addresses and transferred small amounts of data to them. All 127 vendor-detected IP addresses are available in an appendix below.

The activity involving the IP addresses discussed at greater length below may offer additional insights into the incidents and could, in particular, reflect attempts to access target systems remotely.

45.232.73[.]84 and an IP address attributed to one of the affected organizations communicated via port 22 sixty times on March 3. Attack Surface Intelligence has revealed port 22 to be open and running a vulnerable version of OpenSSH at the organization-attributed IP address. Additionally, members of the VirusTotal community have observed 45.232.73[.]84 conducting brute force attacks against SSH services.

Image 1: Attack Surface Intelligence reflects the use of a version of OpenSSH that may be affected by numerous vulnerabilities at port 22 of an IP address attributed to a target organization. 

Recurring communication over port 22 between these IP addresses could reflect attempts to access the target organization’s assets via SSH; in this context, it bears noting that forty-six other IP addresses (available in an appendix below) communicated with port 22 of the same IP address in the same period. Vendors have linked all of these IP addresses to malicious behavior. In total, these IP addresses were involved in 363 flows between February 12 and March 16; this would represent a smaller amount of communication than normally expected for brute force attacks, but if a login attempt were successful relatively early, it could account for a smaller overall number of flows from IP addresses linked to SSH brute force attempts.

An IP address attributed to one target organization and 173.199.15[.]254 communicated twenty-two times between February 13 and March 13. Remote access software company LogMeIn, Inc. is the organization that operates 173.199.15[.]254. While the software has many legitimate uses, threat actors often induce their targets to install legitimate remote access software (TeamViewer is especially common) on their devices to grant the attacker control, which can facilitate the deployment of ransomware. Traffic from a victim network to a LogMeIn-operated IP address may therefore reflect the attacker’s use of LogMeIn to control a victim device. 173.199.15[.]254 additionally appears in traffic samples collected from organizations affected by previous incidents. It is, therefore, possible that threat actors used this service for remote access to the affected organization.

Findings: Large Data Transfers

The traffic samples contain 118 IP addresses involved in large data transfers. Vendors have linked thirty-four of these to malicious activity. The majority of these IP addresses belong to hosting provider Digital Ocean. The traffic involving them could represent expected behavior (like transfers to and from backups). Still, given that threat actors have also abused these services in the past, these transfers may merit attention from personnel with internal visibility into the affected organizations’ networks. All IP addresses involved in these transfers are also available in an appendix below, but those linked to previous malicious activity may merit particular attention.

165.227.76[.]114 and 167.172.240[.]54, both of which communicated with one of the affected organizations, appear in VirusTotal collections titled “RemoteIPs,” which may suggest that other cybersecurity researchers have previously observed threat actors using them for remote access to target organizations.

A target organization IP address transferred approximately 3.19 MB to 138.197.169[.]210 on February 13. Many malicious files, some observed as recently as April 18, communicate with 138.197.169[.]210. Vendors detect the recently-observed file as ransomware, so communication between the target organization and 138.197.169[.]210 could reflect the operation of malware linked to the reported breach. The organization in question has disclosed that the actors responsible for the breach had attempted to hold company data for ransom, which likely indicates that the incident involved data theft and extortion and may suggest that the incident involved ransomware like that linked to the communicating file.

A different target organization IP address transferred approximately 12.29 MB to 46.101.13[.]77 on February 20. Approximately 2,600 files submitted to VirusTotal, many of them malicious, communicate with 46.101.13[.]77. A transfer to this IP address from one attributed to a recently-breached organization may reflect malware activity similar to that of the communicating files observed in VirusTotal.

Findings: Potentially Malicious Files Containing Target Domains

A file uploaded to VirusTotal on March 3 contains an email address from the subsidiary where one of the breaches originated and may reflect phishing targeting that company. One vendor detects this file as “HTML.Redirector.86”, and it contains the following URL: hxxps://cloudflare-ipfs.com/ipfs/QmQZ7b23pLVaaS8pYiWeZSD6QbAV4yePkhprG2buG9rrLN#[employee.name]@[subsidiaryname].com.

That URL, in turn, serves downloads of a file twenty-eight vendors have linked to phishing or otherwise detected as malicious. This could reflect activity that resulted in the breach, as threat actors could have leveraged credentials stolen through phishing to access the data exposed in the breach.

Conclusion

While this data does not offer definitive evidence about the origins of the reported breaches, it suggests that attackers may have initially used phishing to compromise employee credentials and some traffic may further suggest the reuse of these credentials.

The file discussed above could have enabled credential theft and subsequent traffic involving IP addresses linked to brute force attacks could reflect the reuse of these credentials alongside others as part of a brute force attempt. The large data transfers may further reflect exfiltration in which the earlier stages of the attack culminated.

Although SecurityScorecard cannot verify these hypotheses without internal visibility into the affected organizations’ networks, the available data appears to suggest them. The STRIKE Team could, moreover, furnish this data to the affected organizations upon request, should they determine that such data would aid their investigation.