Ransomware: Toll Group

Australian transport and logistics giant, Toll Group, was forced to shut down a number of IT systems for approximately one month due to a targeted ransomware attack.

The company is finally reintegrating with its clients’ IT systems.

Toll customers experienced major disruptions to shipment tracking, particularly those relying on the ‘MyToll’ portal application. Drivers reverted back to manual receipts.

Toll responded to the attack by immediately isolating and disabling a range of its IT systems. This quick action helped stop the malware spreading. The ransomware, known as Mailto or Kokoklock, is believed to have infected as many as 1000 servers.

The company refused to pay the ransom, a move that was praised by a number of public officials. (see Australian News below).

API Vulnerability

With many organisations now relying on hundreds of APIs, the range of threats has escalated accordingly.

Last month Twitter disclosed a security incident during which a large network of fake accounts abused the company’s API to match phone numbers to users’ accounts.

The API endpoint being targeted was designed to allow the owners of new Twitter accounts to easily discover their friends on the platform. The API does this by matching phone numbers to accounts that have enabled the setting. By utilising a large network of fake accounts, it is believed that the suspected attackers were able to take advantage of this feature and aggregate a significant amount of phone numbers (and associated account information).

When the company became aware of the situation, it claims it immediately suspended the accounts associated with the attack. In addition, the API has been modified so that it could no longer return specific account names in response to queries. Twitter believes this will prevent any future manipulation of the API’s intended usage.

SSL Certificates

These days, most website URLs start with https. It indicates the website has an SSL Certificate and any data it transmits is encrypted.

However, in order to force website administrators to keep up to date with the latest security features, Apple has just announced that its Safari browser will only allow access to sites that have SSL Certificates with an expiration date shorter than 13 months.

This will force website administrators to renew SSL Certificates approximately once each year – ensuring they have updated cryptographic standards.

The move aims to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks.

Once implemented, certificates with expiration dates longer than 13 months will show a certificate error in the browser.

Older certificates however, which were created before the implementation of this rule will not be affected.

Trojan Stealing Google MFA Codes

Two Factor Authentication, or 2FA, is recognised as one of the best ways to safeguard against password compromise attacks.

However, even 2FA isn’t totally immune from attack.

A new trojan, named Cerberus, is in the wild and targeting Android banking applications. Specifically, it captures the login credentials of a user logging into their banking application. It then extracts any one-time password issued by ‘Google Authenticator’ – one of the most widely used 2FA verification systems.

The trojan then sends the login credentials with the one-time password to a malicious actor who can gain access the user’s online banking application.

It is strongly recommended that Android users exercise caution when installing applications onto their mobile devices.

Email Challenges in the Health Care Sector

The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information.

Its latest report, covering July through December 2019, shows a 19% increase in the number of reported data breaches compared to the previous six months.

22% of all reported breaches were in the health sector, higher than any other industry.

For the health sector, email security remains a significant challenge.

Phishing constitutes the single largest type of ‘Malicious or Criminal Attack’ (17 out of 63 reported incidents). Meanwhile, incorrectly sending private data via email to the wrong recipient, is the largest single type of ‘Human Error’ (12 out of 51 reported incidents).

These figures point to the fact that with proper email security training for health care professionals, a significant decline in the number of breaches is achievable.

Contact Shearwater to learn about our Phriendly Phishing training modules. It’s the perfect way to train your staff about email security and reduce the chances of data breaches occurring.

ASD changes to IRAP and CSCP

Providing cloud-computing services to the Australian Government is about the get easier.

The Australian Signals Directorate (ASD) and the Digital Transformation Agency (DTA) announced changes affecting cloud service providers. Those wishing to provide cloud services to Australian Government departments and agencies are no longer required to pass the Cloud Services Certification Program (CSCP) assessment. Furthermore, they will no longer be listed on the Certified Cloud Services List (CCSL).

These changes mean that cloud providers will be treated in the same way as other ICT providers. It is still recommended to undergo an IRAP assessment, as once you achieve certification with one Government department or agency, it can be leveraged to open the way for you to work with other departments and agencies.

For ICT or cloud providers considering undergoing IRAP assessment, the Government has announced extra resources to boost the number of IRAP assessors. This should facilitate a more efficient IRAP assessment process.

Contact us for further information on the IRAP assessment process and how Shearwater can guide you through the process.

ASD: Time to Boost Cyber Security

The new Director-General of the Australian Signals Directorate (ASD), Rachel Noble, has warned business to bolster cyber defence capabilities. She argues that both business and government must make data security a top priority, whilst developing a deeper understanding of cyber threats and defences.

“Organisations must back up their data regularly, know how and where their data is stored and make sure it is kept up to date,” she said.

When it comes to ransomware, Noble warns against paying ransoms. Recently, Toll Group was subjected to a major attack and decided not to pay a ransom demand. Whilst some believe the extended period of disruption for customers could have been avoided, the message from the ASD head is that ransom payments should be avoided.

“We strongly recommend organisations don’t pay ransoms,” Noble said. “There is a risk you just lose your money or you end up being used as a cash cow and the cyber criminals come back again.”

IoT Security

IoT, or Internet of Things, is the term used to describe a broad range of internet-connected devices. From household appliances to industrial machinery, IoT devices are increasingly being exploited by attackers in order to gain unauthorised access to networks and compromise data.

The interconnected nature of IoT devices means that exploitation can have widespread consequences.

At present, manufacturers of consumer IoT devices have no rules that require their products meet minimum cyber security standards. With internet-connected devices becoming increasingly common in Australian homes, from smart TVs to baby-monitors, the time has come to establish standards so consumers have confidence they are purchasing secure products.

The Australian Government has launched an initiative to develop a voluntary code of practice for consumer-oriented IoT devices. The hope is that a voluntary industry code will be sufficient to uplift cybersecurity, but if necessary, the Government could move to mandatory standards.

According to Damien Manuel, chairman of the Australian Information Security Association (ASIA), the trend towards greater consumer protections is clear. “It is inevitable that connected devices will have cyber security ratings within five years…A device’s cyber security rating will become a key part of the consumer decision-making process.”

For manufacturers of IoT devices, contact Shearwater to learn how you can ensure your products meet your customers’ cybersecurity expectations.

$11m Cyber Fraud

A 31-year-old South Australian man has been charged with allegedly defrauding individuals to the tune of $11 million. According to police, the man allegedly engaged in identity theft which was used to modify payroll data, superannuation details and credit card records.

According to NSW Police Cybercrime Squad Commander, Detective Superintendent Mathew Craft, “Cybercrime presents a unique challenge for law enforcement, and the only way we can tackle these national issues, is through the collaboration of our law enforcement and industry partners.”

Identity information is a valuable commodity on the black market and dark web. It is essential that all organisations have strong cyber security measures in place to ensure data is protected.

Contact Shearwater to learn how we can assist your organisation develop information security policies to keep data secure.