Extreme Networks has been providing Cyber Security support for customers on the Mornington Peninsula, Dandenong and out int Gippsland for over 20 years, but in the last 12 months we have seen a fundamental change in not only the types of threats we are seeing but also the number of threats that we are seeing.
Since 2013 Cryptolocker ransomware has been on the rise, and over from 2017 to 2019, we certainly seen a few Cryptolocker cases amongst our customers. Before 2017, the vast majority of security incidences were from insiders. Employees, particularly soon to be ex-employees were often keen to take what they thought they had a right to and would email themselves customer contact details, contracts and any other intellectual property that they thought they could help themselves to. This was by far the most common security issue we saw, but over the last twelve months, our IT Security team has seen a big increase in targetted attacks against Small and Medium-Sized Businesses.
The Australian Cyber Security Centre recently released their Annual Cyber Threat Report, and it makes for sober reading. I thought I would provide a quick overview of the report, but add to it what we have seen in the field. These are cases with local businesses, based on the Mornington Peninsula, Dandenong or out into Gippsland. The cases have either been with existing customers, or with customers who have come to Extreme Networks because their current IT provider lacked the skill to be able to manage the cyber security threat.
The matrix of Cyber Security Threats that the ACSC responded to over the last 12 months.
Cyber Security Trends
We are seeing:
- Increase in Remote Desktop (especially since COVID-19 has forced many businesses into Work from Home).
- Growing Internet of Things devices. Now everything wants to be connected to the internet. Many of these devices have poor security, infrequent updates or an insecure by design.
- Cybercrime as a Service. CaaS has become quite easy to organise with the usability and utility of many high-end hacking tools increasing the number of people able to use them.
- Increasing attacks from a sophisticated state-based actor. The Prime Minister announced a Category 1 Cyber Incident on 19 June 2020 based on widespread, persistent and sophisticated attacks against a range of Australian businesses.
Cyber Security Attacks
Phishing and Spearphishing campaigns
Phishing is a method of stealing confidential information by sending fraudulent messages to a victim. It remains the most prevalent method used by cyber adversaries to target Australian organisations. We have seen multiple phishing emails that feature official logos and branding, eg Banks, Energy companies, Australia Post, together with the same font and layout as the organisation they pretend to come from.
We are seeing a disturbing rise in spearphishing attacks. Unlike phishing campaigns which are commonly sent out in thousands, spearphishing is a more advanced and targeted method of phishing. Spearphishing campaigns are typically well-crafted and designed to target a particular set of recipients.
In developing a spearphishing email, adversaries use tactics like social engineering to research, identify and target high-value individuals within particular organisations. This can include using information found via professional and personal social media networks, and publicly available industry information. Some of these attacks can be very sophisticated.
An employee at a Mornington Professional Services company received an email from an energy provider stating that their electricity bill had not been paid. The staff member clicked the link and it downloaded malicious software that encrypted her PC and the Server. The data was required to be restored from backup which created hours of downtime for the business.
Recommendations
- Ensure adequate backups and that they are tested.
- Ensure your router/firewall filters out as much malicious traffic as possible
- Conduct phishing training with your team.
Extreme Networks has partnered with Sophos to provide phishing training campaigns, sending emails that look genuine, but are in fact phishing emails. Instead of a malicious outcome, team members are sent to pages that highlight how to determine if an email is genuine or not. there is also detailed reporting on
Business email compromise
Business email compromise (BEC) is a common attack vector available within CaaS (Cybercrime as a Service) markets. BEC targets businesses and their employees for financial gain, by using socially engineered messages or compromised email accounts. This methodology involves fraudulently requesting payment transfers or changing account details on invoices or payrolls, to redirect funds into bank accounts controlled by the cybercriminal.
Hackers had brute forced the Office 365 password, gained access to the email account and found invoices that had been sent out. They then created new invoices with their BSB and Account numbers. These were sent to the customer which then paid the money into the hackers account. This is particularly disturbing as it is a sophisticated attack on a manufacturing company with less than 15 employees.
Recommendations:
- Ensure multifactor authentication is used across the organisation.
- Ensure adequate Cyber Crime insurance coverage.
Exploitation of vulnerabilities
Cyber adversaries look for misconfigured devices, open ports and databases and vulnerabilities in hardware appliances or unpatched software. As soon as a vulnerability in a widely used software application is identified, adversaries can quickly deploy exploits on to the networks they already know are susceptible to attack.
A national customer with it’s head office in Melbourne was running a knowledge management system that was available from the public internet. At 6:30PM one afternoon in June we were notified through our relationship with the ACSC that the customer had been compromised. The ACSC had detected traffic from a compromised application. A Security Response Team was quickly formed and reviewed the known situation. Although the information from the ACSC was scant, it was enough to enable our SRT to determine the application. A zero-day exploit had been exploited (one which the vendor is not aware of). The application was restored to a known good state, data restored and a patch from the Vendor applied. The firewall rules were also strengthened.
The organisation has a national presence and it is believed that it’s work had put it above the detection threshold for sophisticated state-based hackers wanting to compromise their network, potentially to add to the reconnaissance being conducted on Australian business people. The advanced notice from the ACSC meant that there was no compromise of data or downtime for the customer and remediation was straight forward.
Recommendations:
- Ensure applications, particularly internet-facing applications are patched to the latest patch level.
- Routinely review firewall rules and deny traffic from regions that there is no requirement for.
- Ensure your IT company has strong relationships with the ACSC.
- Ensure back up procedures are regularly tested.
Each small business should conduct an annual Cyber Security Audit, looking at firewalls, antivirus, staff training, information access policies, logging, risks and most importantly your backup and disaster recovery processes.
If you need help with any of this, call Team Extreme for a no obligation discussion about your IT security needs.
