The Australian Signals Directorate issued an urgent advisory in 2021 for a critical vulnerability found on a software and web-hosting platform that is used by the Australian military.

ForceNet is the Australian Defence Force’s secure social media and staff communications platform.

The advisory said the vulnerability was being actively exploited in Australia, and warned the platform’s administrators to ensure patches were up to date and to check logs for malicious activity.

Minister for defence personnel Matt Keogh on Monday said that Defence had communicated to staff that an external contractor has been the subject of a ransomware attack. That external contractor was providing … around a platform for Defence, which is like an internal social media platform which has data from 2018 regarding Defence personnel.”

“Defence has communicated with staff on making sure that people in effect remain vigilant around their personal information in light of recent cyber security attacks we’ve seen from a number of organisations in Australia,” Kehoe said.

Kehoe said as many as 40,000 records were potentially held on the targeted system and that “we’re connecting Defence personnel with an external provider to support them as well if they need assistance in protecting their ID documents or their personal information.”

ForceNet is Defence’s ostensibly secure, invitation-only, staff and social media communications platform. It was deployed to create a safe, authorised sharing hub without linking it to either the Defence Restricted Network or Secret Network or posting Defence material in the public domain.

While the material of ForceNet is by its nature unclassified, Defence controls can access it as well as moderate its content.

Deployed in 2014 as a kind of human resources portal meets Facebook, ForceNet was built using the Sitecore software and web-hosting suite, with Deloitte partnering for the build and upkeep of the platform.

ForceNet had initially been slated for Reservists but was subsequently expanded across the military.

It is intentionally more functional, with fewer onerous security requirements so personnel could still communicate with colleagues, including overseas forces on assignment or embedded with Australian Forces.

On 5 November 2021, the Australian Cyber Security Centre, part of ASD, issued a public warning that a “Proof of concept exploit code has been released for a remote code execution vulnerability (CVE-2021-42237) in certain versions of the Sitecore Experience Platform (Sitecore XP) content management system.”

Marked as “Alert status: CRITICAL” the advisory cautioned that “Successful exploitation of this vulnerability results in remote code execution that could allow an internet-based actor to install malware/or webshells and perform other actions.”

“Australian organisations who have identified an internet-exposed Sitecore XP instance vulnerable to CVE-2021-42237 should review logs for signs of malicious activity targeting the vulnerable Report.ashx file outlined in the Sitecore security bulletin,” the advisory continued.

The latest alleged ransomware incident against a high-profile target follows major exfiltration incidents at Optus that hit data for 10 million people, and Medibank Private that hit 4 million people.

So far both of those attacks have been characterised as criminal attacks rather than ‘sophisticated’ raids by state-sponsored APTs (advanced persistent threats).

Both Optus and Medibank Private have held major Department of Defence contracts, Optus for satellite communications and Medibank Private for Garrison Health, which functions as Defence’s health insurance provider, a contract Medibank lost to BUPA who officially took over in July 2019.

With another provider to Defence now targeted, it remains to be seen whether the criminal characterisation of the recent attacks remains in place.

The Defence Personnel minister said the department was “working now to get a full picture” of the situation.

“We’re working with that external provider to make sure we’ve got a full picture of what sort of data was there and available. We understand it may have been about 30,000 to 40,000 records that they held,” Kehoe said.

READ MORE:

Defence declares anti-satellite missile ban