Ben Watson | SOC Analyst | 1 December 2024

Welcome to Fortian's November Monthly Cybersecurity Update.

This month, on the government and policy front, the Cyber Security Bill introduced just last month was passed by the senate and will become law after receiving royal assent; Australia and the Philippines announced a joint cyber security boot program; and the ASD published its annual cyber threat report.

As for the cyber threat environment, security vendors published reports identifying the year's biggest vulnerabilities; international law enforcement was busy disrupting cyber-crime; and a major weakness in a popular security product led to over 2000 breaches.

Finally, in Australia, Telstra, a nursing home and a university were reportedly among the latest organisations to fall victim to cyber-attacks.

Australian government and policy developments

The Australian Signals Directorate (ASD) published its Annual 2023-2024 Cyber Threat Report. The report (which has enough content for its own, lengthy blog post) called out a number of interesting points:

• Nation-state cyber threats. State-sponsored cyber actors are relentlessly targeting critical infrastructure, such as energy, healthcare, and telecommunications, using sophisticated methods like zero-day exploits and custom malware. These attacks aim to compromise national security, disrupt essential services, and achieve geopolitical goals. The report highlights the vulnerability of essential services and the necessity of public-private collaboration to defend against these advanced threats. Specifically, the Australian government, along with Five Eyes partners, called out Chinese state sponsored actors who are seeking to pre-position themselves in critical infrastructure and to use that access for disruption in the event of a crisis or conflict.
• Cybercrime continues to escalate, with ransomware and business email compromise (BEC) among the most pervasive and damaging threats. Ransomware attacks have become more targeted, focusing on critical infrastructure, small-to-medium enterprises, and healthcare providers, often leading to operational disruptions and significant financial losses. Attackers use double extortion tactics, not only encrypting data but also threatening to leak sensitive information if ransoms are not paid.
• The rise of artificial intelligence (AI) has introduced new dimensions to both cyber threats and defences. On one hand, AI empowers cybercriminals to enhance the scale and sophistication of their attacks. AI-driven tools are used to automate phishing campaigns, create highly convincing deepfakes for business email compromise (BEC) scams, and identify vulnerabilities in systems more efficiently. Conversely, AI plays a pivotal role in strengthening cybersecurity, enabling organisations to detect anomalies, predict threats, and respond to incidents in real time.

On a separate note, to bolster critical technology defences in the south pacific, Australia and the Philippines announced a joint cyber boot camp consisting of war games and security awareness training; and the government added 46 new assets to the register of Assets of National Significance, a non-public list of organisations which are subject to critical infrastructure regulation in Australia.

Finally, the government's cyber security legislative package introduced last month was recommended by the Parliamentary Joint Committee on Intelligence and Security (the Committee) for 'urgent' approval and the Cyber Security Bill was subsequently passed.

• The Committee based its recommendation on the fact the bills were key components of the 2023-2030 Cyber Security Strategy.
• Once the Cyber Security Bill receives royal assent, private organisations with annual revenue over AUD 3 million will be legally required to report any ransomware payments made to a designated commonwealth body.
• The passing of the Cyber Security Bill came only 5 days after being recommended for urgent approval and it will be interesting to see if the government also responds to the caveats attached to the recommendation, including making reporting requirements easier to follow.

Australian cyber threat environment

In Australia, the Western Sydney University suffered a breach and 1.5TB of data was allegedly stolen from the Australian Nursing Home Foundation.

• Hackers allegedly breached the Western Sydney University's student management system and data warehouse after compromising an IT account in August and managed to steal student personal information and admission and enrolment data. This is the third breach of the Western Sydney University this year, potentially raising concerns about the organisation's security as well as showing the threat actor's willingness to re-victimise previous targets.
• Details on the breach of the Australian Nursing Home Foundation are limited, however ransomware operator Abyss claimed to have stolen 1.5TBs of data. Previously, the ransomware operator has used double extortion against victims, stealing data and encrypting files to maximise the likelihood of victim's paying.

A threat actor has reportedly listed data purportedly belonging to over 47,000 Telstra employees for sale on a hacking forum. The sample data includes names, email addresses, physical addresses, and possibly other details. Preliminary investigations suggest that some of this information corresponds to actual Telstra staff. Telstra has confirmed the breach and is investigating.

Other Australian cyber attacks in November allegedly included mortgage broker Finsure (loss of 300,000 email addresses via a third party provider) and Snow Brand Australia (ransomware).

International cyber threat environment

The US Cybersecurity and Infrastructure Security Agency (CISA) released their list of top routinely exploited vulnerabilities in 2023 and threat modelling platform MITRE identified the top 25 most dangerous software weaknesses from 2024. Key insights drawn from both reports include:

• Proactive Vulnerability Management is Essential. Both reports stress the importance of addressing vulnerabilities quickly, especially widely exploited ones like improper input validation and buffer overflows. Many attacks exploit known weaknesses due to delayed patching or neglect. Actions: Adopt a prioritized, automated patch management system to mitigate critical risks promptly and reduce exposure to attackers.
• Zero-Day Exploits Are Rising. Attackers increasingly exploit zero-day vulnerabilities to breach systems before fixes are available. This trend underscores the need for robust detection and mitigation mechanisms. Actions: Invest in advanced threat detection, participate in threat intelligence-sharing initiatives, and use tools that can identify unusual behaviors indicative of zero-day exploitation.
• Secure Coding Practices are Foundational. Many vulnerabilities originate from common coding weaknesses like improper input handling and memory safety errors. These flaws are easy to exploit and remain prevalent due to insufficient focus on secure software development. Actions: Integrate secure development practices (e.g., input validation, memory safety checks) and conduct regular code reviews and testing to address weaknesses at the source.

Following North Korea's deployment of troops to Russia in support of its war against Ukraine, South Korea has experienced an uptick in cyberattacks attributed to pro-Russian hacking groups. These attacks, primarily distributed denial-of-service (DDoS) assaults, have targeted both government and private sector websites, causing temporary outages but no significant damage. In response, South Korea's presidential office convened an emergency meeting to strengthen cybersecurity measures and enhance preparedness against such threats.

Law enforcement made sizable inroads into the disruption of cybercriminal groups around the world:

• In the United States, law enforcement laid charges against 5 suspected members of threat group Scattered Spider; indicted 2 individuals expected to have been responsible for hacking SnowFlake data storage accounts; sentenced two hackers to 5 years and 10 years prison for their crimes; and seized cybercrime marketplace PopeyeTools.
• International law enforcement agencies were also busy: a website responsible for distributed-denial-of-service attacks in Germany was taken down; and Interpol announced the completion of an operation which took down over 1000 servers and 2000 IP addresses used for cyber-crime spanning 95 countries and resulting in 41 arrests of those linked to various crimes.

2 vulnerabilities in Palo Alto firewalls led to over 2000 firewalls being hacked.

• Researchers reported they were moderately confident a functional exploit existed to chain the two vulnerabilities together and allow a hacker to run commands on breached firewalls with administrator privileges.
• These vulnerabilities come only 6 months after Palo Alto's last 10/10 critical vulnerability CVE-2024-3400 and highlight a concerning trend of vulnerabilities in security software being responsible for breaches.
• This emphasises the importance of ensuring security products are scanned for vulnerabilities as rigorously as any other assets in your network.