Home Security Most threats detailed by ACSC work only on Windows

Most threats detailed by ACSC work only on Windows

Most of the case studies of various cyber infringements detailed in the Australian Cyber Security Centre's 2016 report have one thing in common: they relate to threats that are only possible on Microsoft Windows systems.

In one major incident response, the ACSC writes of investigating and remediating the problems caused by the intrusion into a government network by a foreign state. Here the attack vector was Microsoft Office macros. No date was specified for this incident.

In July 2015, CERT Australia advised a financial services provider of a compromised domain controller on their network that was communicating with malicious domains. At the time of notification, it was believed this host had been compromised for at least a year. Once again, Windows malware was implicated.

In a third case, a company contacted CERT Australia for assistance in mitigating sophisticated spear phishing. A malicious email with an attached password-protected zip archive had been sent to a company manager. Analysis revealed that the attached zip archive contained a Windows screensaver file that would have appeared on the system as a PDF file.

When opened, it would have dropped a malicious executable and added a Microsoft update-themed shortcut to the system’s start-up folder to establish a persistent presence. The malicious executable would have sent encrypted beacons containing details of the infected system. It was a first-stage implant that could have been used to upload additional files and to execute commands on the infected host system.

Then in 2016, a staff member from a government organisation clicked on an Australia Post-themed email which infected their workstation with Cryptolocker, ransomware that only runs on Windows. At that time, the staff member’s workstation was simply re-imaged.

The ACSC said it had observed an increase of systems being exploited using PowerShell, a powerful shell scripting language developed by Microsoft, enabling network administrators to fully control Microsoft Windows systems easily.

The ACSC also wrote that it had attackers compromising Microsoft Outlook Web Application (OWA) servers and utilising Web shells for network persistence. OWA is a full-featured, Web-based email client where users can remotely access their emails, contacts, tasks and folders through a secure connection from anywhere with Internet access.

In another case reported on 4 August, the ACSC became aware that websites of various Canberra- based businesses — some close to government departments — were hosting an exploit kit redirect, the first step in compromising visitors. Subsequent analysis indicated that the exploit kit redirect was part of the Neutrino Exploit Kit.

In one case where Microsoft products are not mentioned, on 26 May, the ASD identified suspected malicious files present on a government network. Analysis confirmed these files were Flash files which enumerated browser details, encrypted them and passed them on to a server. Flash has been identified by the ACSC as a common attack vector. There are versions for all common operating systems.

In another case, the ACSC says it was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The ACSC’s investigation revealed the attacker used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise.

In late 2015, a payroll system utilised by a number of Australian based companies was compromised and the personal data of employees was obtained. The actors used the stolen information, including tax file numbers, to lodge fraudulent tax returns. The incident resulted in considerable financial and reputational damage to the companies affected by the compromise.


The ACSC must be commended on two fronts: firstly, for the sober tone in dealing with a subject that tends to get most people hyped up, and secondly, for packing so much information into a report that is just 28 pages long.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.