Cyber alerts

Pandemic

The ongoing worldwide outbreak of coronavirus disease (COVID-19), which originated in Wuhan, China, in December 2019, continues to grab headlines. As of closing-February 2020, more than 90,000 cases had been confirmed and at least 3000 had died. It has now risen to 800.000 deaths and 25 million infected as of closing August 2020. The World Health Organization (WHO) has declared the outbreak a public health emergency of international concern, and health authorities continue to work to contain the spread of the disease.

Companies have a duty of care to their employees as well as a broader responsibility to their business partners and communities. 

Steps to assist your company
Start preparing for a pandemic early. Organizations should review their existing business continuity and emergency management; including evaluating the impacts from a temporary reduction in workforce or a higher-than-average number of employees working remotely.

Assess risks and vulnerabilities to physical and cyber systems from a reduction in staff, both internally and among key organizational interdependencies, such as supply chain partners or service providers.

Communicate early and regularly, internally and externally, since information voids will often be filled with incorrect information.

Security and IT executives need to brief senior leadership regularly and ensure there is a clear understanding of leadership’s expectations and their true level of risk acceptance.

Establish an “intelligence baseline” Going on a quest for perfect information about a widespread health concern is unreasonable and will exacerbate the level of frustration security executives might already feel. Determine which trusted sources of information you’re going to rely on, good examples include WHO, the Centers for Disease Control, the Department of Health, or a trusted medical response provider.

Focus your awareness campaign on those sources, unless gaps emerge that must be addressed. Sticking with select sources allows you to conduct trend analysis on how the situation is evolving.

Identify potential triggers, risk tolerances, and responses.  All crises are fluid, but emergent medical issues tend to be even more so. A trigger-based escalation matrix can be an incredibly powerful tool to help you respond more confidently. When new information comes in, it’s important to validate it as soon as possible and discern which escalation plans or other pre-vetted decision trees might need to be recalibrated.

Accept that the ‘facts’ are likely to change. Be prepared to re-evaluate your assumptions of those so-called facts and then adjust your action plans based on new information or emerging trends.

Ensure a coordinated response. Organizations must ensure a strong, coordinated response that integrates cybersecurity, emergency management and risk communications staff.

Ensure consistent and frequent communications to your staff and external stakeholders.

Think globally. The term pandemic refers to a disease that has spread across a large region such as multiple continents.

When evaluating security risks or preparing business continuity plans, companies need to be prepared for potential impacts on a worldwide scale. Ensure all plans have factored in worldwide aspects of your business, including supply chain, customers and service providers.

Keep in mind that many suppliers and business partners are in different parts of the world. Contact business partners—especially supply chain—to confirm instructions for requests, orders, shipments, receipts, payment, etc.

Stress test all facets of the remote work capability. Estimates of the peak impact of COVID-19 vary widely and likely will continue to vary for some time. What’s clear is that the business impacts are not going away and may well increase before they begin to dissipate.

Remote work—whether by choice or out of necessity—will likely have to play a significant role in your business continuity planning. Stress test every facet of your infrastructure now. An IT backbone intended to remotely support perhaps 10% to 20% of the workforce might struggle under the weight of the current challenge.

The earlier you understand the weak points in your system, the more time you’ll have to problem solve, or prioritize who should have access to your systems.

Be transparent in sharing updates. Even the best business continuity plan is likely to be significantly challenged without dedicated employees willing and able to go above and beyond their normal responsibilities to help navigate the unique challenges a medical crisis can pose. Ensure those employees’ efforts are recognized and appreciated.

By removing—or simply reducing—your employees’ burden of sifting through an overwhelming and contradictory mountain of ‘intelligence,’ you enable them to focus on their roles and free them up to help meet the challenges to the organization.

COVID-19 scam

The Australian public is being warned against an SMS scam urging users to click on a link for Coronavirus testing locations. On Monday night, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued a High Alert Priority warning advising users to simply delete the text message and not click on any links. “The link in these text messages is not legitimate, and if clicked on, may install malicious software on your device, designed to steal your banking details,” the warning read. It came as the Australian Competition and Consumer Commission (ACCC)’s Scamwatch reported it had received multiple reports of coronavirus-themed scam texts from members of the public. The scam message reads: “You’ve received a new message regarding the COVID-19 safety line symptoms and when to get tested in your geographical area”, followed by a link which uses ‘covid19info’ as part of its domain name. Despite being grammatically challenged, the message uses words such as safety and tested, two keywords preying on people’s susceptibility to click on links for more information about a rapidly threatening pandemic. Ramping up The warnings come a week after users were warned to avoid scam emails along the same lines. Crispin Kerr, Australian Country Manager for cybersecurity firm Proofpoint said the company had observed a sharp increase in the number of coronavirus-related email scams, with bad actors sending out more than 200,000 emails at one time. “These emails are extremely well-crafted and use stolen branding to make it appear they are coming from a legitimate, trusted source,” Kerr said. “For example, we’ve seen cyber criminals pretending to be the ‘World Health Organisation’ and ‘Australia HealthCare,’ a fake but fully branded health organisation, to try and convince individuals to click through to a malicious link by offering advice on how to stay safe from the coronavirus. “The COVID-19 lures we’ve observed are truly social engineering at scale. “They know people are looking for safety information and are more likely to click on potentially malicious links or download attachments,” Kerr said. The ACSC says if you've received one of these messages and clicked on the link, contact your bank immediately. If you’ve been scammed out of money, report it to ReportCyber at www.cyber.gov.au/report.

CORONAVIRUS PHISHING ATTACKS

Cybercriminals are using concerns about the coronavirus to launch phishing attacks

Learn to identify and protect yourself against such attacks

What is Happening?

While COVID-19, or the novel coronavirus, is capturing attention around the world, cybercriminals are capitalizing on the public's desire to learn more about the outbreak. There are reports of phishing scams that attempt to steal personal information or to infect your devices with malware, and ads that peddle false information or scam products.

In one example, a phishing email that used the logo of the CDC Health Alert Network claimed to provide a list of local active infections. Recipients were instructed to click on a link in the email to access the list. Next, recipients were asked to enter their email login credentials, which were then stolen.

What Should You Do? If you are looking for information on the coronavirus, visit known reputable websites like the U.S. Center for Disease Control or the World Health Organization. Be on the lookout for phishing emails that may appear to come from a trusted source.

Tips: 

You can look at the sender’s details – specifically the part of the email address after the ‘@’ symbol – in the ‘From’ line to see if it looks legitimate.

Be wary of emails or phone calls offering unexpected or unprompted information.

Be aware of emails from unfamiliar sources that contain links or attachments. Do not click on these links, as they could be embedded with malware.

Although social media companies like Facebook are cracking down on ads spreading coronavirus conspiracies and fake cures, some ads may make it past their review process. Remember, it’s best to seek information on the disease from official sources like those mentioned above.

AUSTRALIA POST Email Scams

Australia Post has issued a warning to watch out for fake emails that claim a package of yours hasn’t been delivered because of a weight limit. The emails have subject lines like “unfortunately we have not been able to deliver your package” and prompt people who open the emails to click on a phishing link that directs them to a fake Australia Post website asking for personal and banking information. “Please note that Australia Post will never email or text message you asking for personal information, financial information or payment,” Australia Post said. “If you are in doubt about the authenticity of an email, text message, or phone call, please delete immediately or hang up.” The notification about email scams comes within days of Australia Post warning it had seen evidence of “cybercriminals” putting together “fake websites branded with the Post Billpay logo”. An example of the fraudulent websites provided by Australia Post includes many of the logos and artifacts as the legitimate Billpay web page, making it a believable fake at a cursory glance. The fraud is more evident when you notice the fake text boxes (asking for a card number, expiry date, and CCV) have mismatched sizes and there is strangely phrased “Payment For Delivery 3 AUD Fees to receive your package” above the Visa and Mastercard logos.

increased scam activity comes amidst a surge in Australia Post delivery requests as a result of people online shopping during the COVID-19 isolation period. Auspost reported a 90 percent increase in deliveries during April compared with the same time last year. As a result, the delivery organisation added 600 casual staff to help manage the load. Scams on the rise COVID-19 has led to a spike in the number of scams being perpetrated online. The Australian Cyber Security Centre (ACSC) said it received an average of two cybercrime reports per day between mid-March and late April and had responded to a further 20 incidents involving COVID-19 national suppliers or response services. Leaning on tech giants like Google and Microsoft, the ACSC has knocked down hundreds of malicious coronavirus-themed websites. Emails and SMS messages have also been regular attack vectors for scammers looking to take advantage of the global health crisis. Unveiling Telstra’s ‘Cleaner Pipes’ initiative this week, Telstra CEO Andrew Penn said the company was upgrading its DNS filtering and ability to block scam text messages. “If COVID-19 is forcing the pace and scale of innovation it is also underscoring the critical importance of cybersecurity,” Penn said. “In an era where staying at home means staying safe, staying safe, and secure online has also never been more important.” If you spot a scam you can report it to the ACCC’s Scamwatch and if you fear you have been a victim of identity theft, contact ID Care.

CYBER ATTACK HITS HOSPITALS IN VICTORIA

A sophisticated cyber attack has brought down the computer systems of several regional hospitals in Victoria.
The attack affected hospitals in the Gippsland Health Alliance, in the state's east and South West Alliance of Rural Health.
This includes hospitals in Warrnambool; Colac; Geelong; Warragul; Sale; and Bairnsdale; as well as a host of services in smaller towns.
According to Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security at La Trobe University, the attack can be attributed to human vulnerabilities.
“This is a ransomware attack,” he said. “The ransomware attack shut down the entire hospital systems from patient records, booking, and management systems -- which may impact patient contacting and scheduling. Doctors will not be able to access to patients’ health records either.”
Although it is yet to be confirmed the type of attack and who was involved, the Department of Health and Human Services (DHHS) said the cyber incident was uncovered on Monday and the Victorian Cyber Incident Response Service has been deployed to block access to several systems by the infiltration of ransomware, including financial management.
“Hospitals have isolated and disconnected several systems such as the internet to quarantine the infection,” it stated. “The priority is to fix all affected systems and prevent any further compromise.”
According to DHHS, this isolation has led to the shutdown of some patient records, booking, and management systems, which may impact on patient contact and scheduling. Where practical, hospitals are reverting to manual systems to maintain their services.
West Gippsland Healthcare Group chief executive officer Dan Weeks said most of the local IT services are still functional including internal intranet communications, phone systems, public address systems, access to printers, and external websites.
Victoria’s Premier Office has confirmed Victoria Police and the Australian Cyber Security Centre are also on board to manage the incident and investigate the scope of the attack.
“A full review will take place to address what has occurred and identify what additional measures may be required to ensure hospitals have the best protection against cybersecurity incidents,” stated Premier Daniel Andrews.
Attack not exactly a surprise
The incident shouldn’t come as a surprise to the Victorian Government, as an inquiry into the Security of Patients’ Hospital Data by the Victorian Auditor-General’s Office, released in May 2019, found Victoria’s public health system to be highly vulnerable to cyberattacks.
According to the report, there were key weaknesses found in health services’ physical security and in their logical security – which covers password management and other user access controls.
“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing of tailgating into corporate areas where ICT infrastructure and servers may be located,” stated the report.
“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”
Archilage told Information Age, it was “very clear” that cybercriminals are interested in “breaking into people’s mindset rather than breaking into systems straightway”.
“Cybercriminals usually launch a ransomware attack by locking the data on a victim’s computer -- typically by encryption,” he said. “Ransomware attacks normally occur through phishing links – which is the art of human hacking.”
“Prevention is better than the cure,” said Archilage. He urged organisations to back their data and follow the Australian Signals Directorate introduction of the top eight mitigation strategies to reduce cyber risk across the board of many enterprises as a baseline level of security.
Dane Meah, CEO of InfoTrust encouraged all businesses to implement email authentication controls, limiting the ability of cybercriminals to send spoofed emails.
“Unfortunately, when cybersecurity is not prioritised, it will take a major incident for people to sit up and realise a proactive approach is needed,” he said. “In a recent case, we saw an organisation lose close to $2m in cash. A data breach can be even worse.”
Meah believes there has been a paradigm shift where it’s expected that attacks like these will occur, however it’s how an organisation detects and responds to an incident that matters most. 
“I’m sure there’s more that could have been done to avoid this attack - hindsight is 20/20,” he said. “I’d encourage organisations concerned with being hit by ransomware to review the egress points that ransomware hits.”

AUSTRALIAN ANDROIDS BREACH

More than 100,000 Australian Android users have had their devices infected with malware that replaces popular apps with fake versions serving up advertising, with more than 25 million incidents around the world.
Israeli cybersecurity firm Check Point Research released a report last week detailing the “Agent Smith” malware which it detected earlier this year but was traced back to January 2016.
The app utilises a previously-known vulnerability in the Android operating system, disguising itself as a version of a popular app, including WhatsApp, and then serving up ads to the owner.
It does this by searching for legitimate apps on the device and replacing them with malware-infected versions.
The malware was downloaded from third-party app store 9Apps.com, not Google’s official Play store. 
After it was downloaded, the malware would then infect the innocent apps, which would display advertising out of context.
The infected apps were found to usually be a phone utility, game or adult-themed applications.
The malware was being used for financial gain by the hackers, who would receive money every time someone clicked on the advertising.
But Check Point Research said there are “endless possibilities” for the vulnerability to be exploited in much more serious ways, such as banking credential theft and eavesdropping.
“Due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” the report said.
More than 15 million of the infected devices were found to be India, with 141,000 in Australia, 300,000 in the US, and 137,000 in the UK.
Malware like this is typically focused on developing countries, making the spread of Agent Smith in the US, UK, and Australia even more concerning.
Android users should update their phones immediately and can search for the malicious apps by going to the Apps and Notifications section in Settings, tapping on the app information list, and searching for suspicious applications with names such as Google Updater, Google Installer for U, Google Powers and Google Installer.
These apps should be uninstalled.
“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” Check Point Software Technologies head of mobile threat detection research Jonathan Shimonovich said.
“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith.
“In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection, as third party app stores often lack the security measures required to block adware loaded apps.”
There needs to be a more cohesive effort to combat threats like this, Check Point Research said.
“The Agent Smith campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android ecosystem,” the report said.
“It requires attention and action from system developers, device manufacturers, app developers, and users so that vulnerability fixes are patched, distributed, adapted and installed.”
The cybersecurity firm connected the malware to a Chinese internet company based in Guangzhou, with its front-end genuine business helping Chinese Android developers to publish and promote their apps on overseas platforms.
Agent Smith was also found to resemble previous malware found on Android devices, like Gooligan, Hummingbad, and CopyCat.
It also follows revelations last year that Android users were downloading malware-infested versions of the popular game Fortnite.
Android apps have also been found to automatically share user data with Facebook without the permission of users, according to a Privacy International report earlier this year.

FACEBOOK names in plain text

Hundreds of millions of Facebook user records were publicly displayed and accessible on Amazon servers in yet another major privacy incident for the social media giant.

Australian cybersecurity company UpGuard revealed the breach last week, finding records containing sensitive private information of Facebook users being stored on Amazon cloud servers without any protection, meaning they could be viewed and downloaded by anyone that found them.

The records were stored by two third-party Facebook apps and included comments, passwords, photos, names, and likes.

The largest dataset belongs to Mexico-based media company Cultura Colectiva, which was openly storing 540 million records, with access only closed after it was reported in the media.

The other app, called At The Pool, stored the passwords and emails of 22,000 users in plaintext.

“The data sets vary in when they were last updated, the data points present and the number of unique individuals in each,” UpGuard said in the post. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships and interactions that were available to third-party developers.”

The passwords stored in the At The Pool dataset were for that specific app rather than for Facebook, but there is a significant risk that many users would have duplicated their passwords. The At The Pool parent company’s website has now been taken down. While the data was stored in its own Amazon S3 bucket, it was configured to allow for public downloads.

“This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time,” UpGuard said.
These third-party apps were previously able to easily access this sort of information from Facebook, until the company cracked down on this following the Cambridge Analytica scandal. An audit conducted by the tech company suspended hundreds of applications for mishandling user data.

“As these exposures show, the data genie cannot be put back in the bottle,” the cybersecurity researchers said. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continue to leak.”

UpGuard said it received no response from Cultura Colectiva when it notified the company of the breach, and Amazon also didn’t act to close access. The dataset was only secured after Facebook was notified of its existence at the start of this month, UpGuard said.

The At The Pool dataset was taken down during the cybersecurity firm’s investigation.

“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” UpGuard said.

“For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users.

“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

The access to sensitive data that Facebook apps were given was put in the spotlight last year when it was revealed that political consulting firm Cambridge Analytica had harvested the data of millions of Facebook users without their consent, through an app offering a personality quiz.

It also comes just weeks after it was revealed that millions of Facebook passwords were being stored in plain text on the company’s own internal servers, accessible by employees.

New documents last month also showed that more than 100,000 Australians were caught up in another security breach last year, where Facebook user data on names, contact information and location were accessed.

Freedom of Information documents showed that up to 111,813 Australian Facebook users were impacted by this breach.

Alert:  Australia has been hacked

Australian businesses have been infiltrated by large-scale global cyberattacks instigated by China.

The attacks focused on managed service providers (MSPs), which remotely manage the IT infrastructure of organisations, and often hold sensitive information.

It follows the US announcement that it had indicted two Chinese nationals: Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both members of hacking group Advanced Persistent Threat 10 (APT10).

APT10 acts on behalf of China’s intelligence and security agency, the Chinese Ministry of State Security.

It is believed the two men, who are on the FBI’s Wanted list, are currently in China.

The pair can now be arrested if they travel outside of China.

This morning, Australia joined the US in publicly condemning the attacks that have stolen intellectual property from businesses and government, with Senator the Hon Marise Payne, Minister for Foreign Affairs, and the Hon Peter Dutton, Minister for Home Affairs, expressing “serious concern”.

“The worldwide cybersecurity compromise serves as a reminder that all organisations must remain vigilant about security and that organisations such as MSPs must be responsible and accountable to those they serve,” they said in a joint statement.

In 2015, countries at the G20 Summit – including China – agreed to “refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage”.

Australia and China reaffirmed the agreement bilaterally just last year.

The US Department of Justice (DoJ) said “hundreds of gigabytes of sensitive data were secretly taken” by APT10 which had targeted a range of companies since 2006.

These companies spanned aviation, banking and finance, satellite and maritime technology, mining and gas exploration, and manufacturing to name a few.

FBI Director Christopher Wray described the list of companies, not named in the indictment, as a “Who’s Who” of the global economy.

“Healthy competition is good for the global economy. Criminal conduct is not. Rampant theft is not. Cheating is not,” Wray said at a press conference.

“China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there. They’re using an expanding set of non-traditional and illegal methods,” Wray said.

“China’s state-sponsored actors are the most active perpetrators of state-sponsored espionage against us.” The DoJ echoed the sentiments.

“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free,” said US Attorney Berman.

“As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.

“No country should be able to flout the rule of law – so we’re going to keep calling out this behavior for what it is: illegal, unethical, and unfair.”

Earlier this year, Australian cybersecurity expert Charles Widdis warned of China attacking businesses to steal information relating to quality management systems and business processes.

“If you're a company doing business with other countries, you can expect that you're being hacked – because they want to know your negotiating position,” he told Information Age.

“I don’t think [business leaders] accept that there are people whose job it is – they get paid – to take your information. It’s an employee in a company that’s attacking you.

“It’s nothing personal, he doesn’t dislike you – it’s just a job. At the end of the day, he goes home, he’s got a family to feed. “It’s a real thing and it goes on.”

APT 10 used ‘spear phishing’ techniques to introduce malware onto targeted computers. The hackers sent emails that appeared to be from legitimate addresses but contained attachments that installed a program to secretly record all keystrokes on the machine, including user names and passwords.

The DoJ said NASA and the Department of Energy were victims, adding APT10 had compromised “more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.”

The Australian government was less forthright, declining to name affected companies.

The Age named both IBM and SAP as being affected.

ACS President Yohan Ramasundara said the government had done the right thing in calling out the attacks.

“It is encouraging to see the Federal Government come out today and condemn the audacious and targeted Chinese attacks on MSPs that have occurred for more than a decade,” Ramasundara said.

“In a combined report released earlier this year, the Australian Strategic Policy Institute (ASPI) and ACS recommended governments use public attribution as a tool in deterring global cyber crime.

“Deploying improved messaging to both partners and adversaries, as well as creating consequences for actions, are also listed as key recommendations.

“Minister for Foreign Affairs, Senator the Hon Marise Payne, and Minister for Home Affairs, the Hon Peter Dutton MP, have led the way with their attribution of the Chinese cyber-enabled commercial intellectual property theft.”

Nigel Phair, Director of UNSW Canberra Cyber, agreed naming China was a step in the right direction, adding businesses need to be less lax about their cyber security.

“Organisations need to not take information security so lightly and think that it’s not going to happen to them,” he told Information Age.

“This is another wake-up call in a long line of wake-up calls.”

The Australian Cyber Security Centre (ACSC) has issued advice MSPs and their clients can use to limit their exposure and protect their information.
Copyright © Information Age, ACS

 

Related items