Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Stung by Ransomware, Australia Urges Better Preparation
'Malicious Cyber Activity' Increasing, Australia's Cyber Security Center WarnsRansomware continues to pose a "significant" threat, and email remains one of the top attack vectors being used by both criminals and nation-states, not least because it continues to be a reliable tactic for sneaking information stealers and other malware into organizations.
See Also: Gartner Market Guide for DFIR Retainer Services
So warns Australia's Cyber Security Center in its latest annual "Cyber Threat Report," released on Friday, which rounds up the top attack types being used against the country's organizations, and urges them to take greater steps to protect themselves.
Of course, email is not the only mechanism exploited by online attackers. “Although malicious emails are currently, and will likely continue to be, the most common type of incident reported to the ACSC, it is important to ensure security is applied throughout a network - defense-in-depth - and across personal devices,” the agency says.
ACSC says that during the period covered by the report - from July 2019 through June 2020 - it responded to 2,266 cybersecurity incidents across a range of industries, although notes that the greatest number of reports it received came from state and federal governments. Victims - including individuals and businesses - can report cyber incidents using the online ReportCyber tool.
Victims filed a total of 59,806 reports - a decline from the 64,567 reports filed in the previous 12-month reporting period - which the ACSC says is the equivalent of it receiving one report every 10 minutes. Most of the reports stemmed from online fraud, which it says cost the country at least $634 million Australian dollars ($462 million) last year.
ACSC cautions that the drop in reports it received should not be read as an indication that online attacks - or cybercrime - is declining. Rather, it notes that such attacks remain chronically underreported.
“Malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale and sophistication,” the ACSC says. “Phishing and spear-phishing remain the most common methods used by cyber adversaries to harvest personal information or user credentials to gain access to networks, or to distribute malicious content.”
The release of the ACSC’s report comes as Service New South Wales, which is the state's overseer of government services, outlined a plan on Monday to notify 186,000 people whose personal information was exposed, sometime around May. Attackers compromised 47 staff email accounts, which held 3.8 million documents, 500,000 of which contained personal information.
Top Threat: Ransomware
Mirroring global trends, ransomware continues to remain a threat in Australia. Crypto-locking malware infections often begin with a user opening a malicious file they receive via a spear-phishing campaign, ACSC says.
“Ransomware has become one of the most significant threats given the potential impact on the operations of businesses and governments,” the ACSC says. “Cybercriminals often illicitly obtain user logins and credentials through spear-phishing, before utilizing remote desktop protocol - RDP - services to deploy ransomware on their targets. Recovering from ransomware is almost impossible without comprehensive backups.”
Some ransomware incidents affecting Australian organizations have become public. One of the most notable this year was Toll Group, a shipping and logistics organization owned by Japan Post.
Toll Group was hit by Mailto ransomware in February, which infected at least 1,000 of its servers and forced the firm to take its customer-facing applications offline (see Australian Delivery Firm Confirms Ransomware Attack).
Toll Group was hit again in May, this time by a gang that first exfiltrated employee information, the locked systems using Nefilim - aka Nephilim - ransomware. In both cases, the company said it would not pay attackers (see Toll Group Says Ransomware Attackers Stole Data).
Although general, fraud-related incidents accounted for the greatest number of incidents filed via ReportCyber, the ACSC says that it “assesses ransomware as the highest threat ... based on the fact that ransomware requires minimal technical expertise, is low cost and can result in significant impact to an organization, potentially crippling core business functions."
Nation-State Attack Threat
Like many other nations, Australia also continues to be targeted by nation-state actors. Although the government typically avoids attributing such attacks, security experts say China continues to loom large.
On nation-state attack seen earlier this year involved Australia taking a sensitive military-recruiting database offline for 10 days in February following concerns it may have been hacked. The database contained medical exam data, psychological records and summaries of interviews with recruits (see Australia Took Military System Offline Over Hack Fears).
On June 19, meanwhile, Prime Minister Scott Morrison warned that Australia was being targeted by sustained online attacks being launched by a "sophisticated state-based cyber actor," without naming China, which was the chief suspect, reported the ABC.
Those attacks largely involved open-source tools being used to target known flaws. The government dubbed these as “copy-paste compromises” due to attackers' "heavy use of tools copied almost identically from open source." Targeted vulnerabilities included flaws in Telerik UI, a 2019 vulnerability in Microsoft's SharePoint and Internet Information Services; and a 2019 Citrix vulnerability.
Cyber Hygiene Counts
As the ACSC said at the time in a security advisory, such attacks should be easily blocked, as all of the targeted flaws had available patches or mitigations.
The government used that fact to remind Australian organizations of the need to be more proactive. “The ACSC responds to hundreds of cybersecurity incidents each year,” the organization says. “Many of these could have been avoided or substantially mitigated by good cybersecurity practices.”
The ACSC advises organizations, at a minimum, to follow its Essential Eight strategies to mitigate cybersecurity incidents, which advocates such essentials as using multifactor authentication, restricting administrator privileges, blocking Office macros and using application controls to prevent unapproved or malicious programs from executing.
Incident Response Essentials
ASCS also warns that logging remains a common deficit. "During investigations, a common issue that reduced the effectiveness and speed of investigative efforts was the lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs," it says.
Security experts say too many organizations still fail to capture the information they would need to thoroughly investigate and mitigate network intrusions (see: Surviving a Breach: 8 Incident Response Essentials).
Increasingly, western governments have been issuing similar warnings. On Tuesday, cybersecurity agencies in all of the so-called "Five Eyes" intelligence-sharing network - comprising Australia, Canada New Zealand, the U.K. and U.S. - released a joint advisory that "highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices." The joint alert says the purpose of the recommendations "is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation."
Executive Editor Mathew Schwartz contributed to this story.