Symantec Enterprise: We Deliver Updated Protection Every Day to Our Customers

Last week, the Australian Prime Minister Scott Morrison announced that an “Ongoing, “unprecedented” hack was being executed by a “sophisticated, state-based cyber actor against the Australian Government.”  Called the Copy-Paste compromises, it was hard to miss the news – every news agency in the country reported on the attacks and it dominated news headlines in the days following.

While these types of attacks happen around the world every day, it’s rare to see them make headlines in such an intense way. For Symantec, a division of Broadcom (NASDAQ: AVGO), whether these attacks reach the public arena or not, it’s our job to follow these incidents.  And the good news is that Symantec already had you protected, well before the Australian Prime Minister announced these attacks publicly.

We deliver updated protection every day to our customers. The goal is to get protection into the field to prevent the threat from getting into our customer’s environment.  While there is a huge industry focus on detection, finding threats that evade protection, and rightfully so, protection is always preferable.  It’s better to block a threat than find it persistent in your network.  And the cost in resources and damage to the organization is significantly less.

 Part of our best practices is to go through Indicators of Compromise (IOCs) that are shared with us to make sure we have protection in place.   Critical to having the worlds’ largest threat intelligence network is not only the amount of data you can collect yourself.  We do collect massive amounts of data from honeypots, activity monitoring nodes and our own telemetry.  And analysis of this data is responsible for the bulk of our threat intelligence and drives our protection.  But that’s not all that contributes to our threat intelligence. Good intelligence also requires good relationships.  And Symantec has long-standing sharing arrangements with Internet registrars, hosting and service providers, CERTs, government partners, and security vendors.

Based on our analysis of the IOCs and samples of the malware we have acquired, our customers were already protected and had no need to scramble.  Protection was in place. And remains so.    

We’ll continue to monitor the situation, as we do all incidents.  We’ll continue to keep our protection up to date and ahead of the bad guys. 

A list of the protections in place against the “Copy-paste” attack are listed below:

AV:

• Trojan.Gen.2
• Trojan Horse
• Trojan.Gen.MBT
• Backdoor.Trojan
• Hacktool.Rotpotato
• Hacktool.Jsprat
• W97M.Downloader
• Downloader

• WS.Malware.1
• WS.Malware.2
• WS.SecurityRisk.1

IPS coverage on vulnerabilities exploited (as identified by ACSC):

• CVE-2019-18935: [32288] Web Attack: Telerik UI CVE-2019-18935
• CVE-2019-19781: [31961] Web Attack: Citrix ADC RCE CVE-2019-19781
• CVE-2019-0604: [31531] Web Attack: Microsoft SharePoint RCE CVE-2019-0604

Email (Skeptic):

• Trojan Horse
• Backdoor.Trojan
• Trojan.Mdropper