Ben Watson | SOC Analyst | 1 November 2024

Welcome to Fortian's Monthly Cybersecurity Update!

Cybersecurity is a dynamic and rapidly evolving field, with new challenges and developments constantly emerging. In each monthly edition, we focus on the critical cybersecurity issues impacting Australians and Australian businesses, highlighting prominent threats, emerging challenges, and essential regulatory and policy developments to keep you informed and prepared.

October was cybersecurity awareness month, offering a valuable opportunity for cyber teams to improve awareness within their organisations.

On the policy front, this month, the Australian government took some big steps to protect Australia from cyber threats. Significant cybersecurity legislative measures were introduced into parliament, including the Cyber Security Bill.

Overseas, all eyes are on the US election, including any cyber related attacks or influence operations. In addition, there were several significant cyber attacks against international corporations and not-for-profits alike.

Closer to home, the Australian Signals Directorate (ASD), warned critical infrastructure businesses of a new attack campaign from Iranian threat actors and the Australian Department of Foreign Affairs and Trade (DFAT) warned Australian businesses of a North Korean scheme to send IT workers to infiltrate Western businesses. Cyber-attacks against Australian organisations continued to occur, with a number of Australian businesses being listed on new ransomware operator Sarcoma's breach page.

Finally, it's worth noting that November is one of the busiest months for Australian cybersecurity professionals with two major conferences on the horizon. The 2024 Cloud Security Alliance (CSA) Australia Summit (proudly sponsored by Fortian), will be held on 15 November in Sydney and the Australian Information Security Association (AISA)'s CyberCon, will be held from November 26-28 in Melbourne.

We look forward to seeing you there!

Geopolitics and cyber

US election influence operations

With only a few days until the US election on the 5 November, all eyes are on US democratic systems and processes and their resilience to cyber attacks and influence. Broadly, concerns are threefold (and interconnected):

1. The integrity of US election infrastructure to cyber-attack. While the US FBI and CISA does not believe that the integrity of US election infrastructure (such as voting machines) has been compromised, as expected they remain highly vigilant to ongoing threats.
2. Online influence / disinformation campaigns. Unsurprisingly, reporting indicates that Chinese, Russian and Iranian actors are stepping up their online influence operations, each with a reportedly slightly different focus: Russia seeking to undermine the Harris / Waltz campaign along with confidence in election processes, Iran focusing on undermining support for Israel and China on discrediting candidates with anti-China policies. This activity is enhanced by generative AI enabled tools, which have made it far easier for these actors to develop sophisticated content that is harder to detect and filter out.
3. Cyber-attacks targeting US political figures and political parties, with a view to discrediting those candidates and sowing disorder ahead of the election. Chinese hackers were reported to have targeted and collected audio from the phone calls of US political figures and Iranian hackers sent hacked Trump emails to Democratic party members.

US China technology decoupling

In October 2024, the trend of US-China technology decoupling continues to evolve as each country implements diverging economic security measures aimed at ensuring technological sovereignty. In the latest series of volleys, a Chinese industry group, the Cybersecurity Association of China (CSAC) accused Intel of backdooring its chips, claiming its products pose serious risks to national security, while in the US, the US Commerce Department proposed a rule that would prohibit the import or sale of connected car technology made by a manufacturer with a nexus to China or Russia and released a rule that blocks US investments into the semiconductor, quantum and AI sectors where they help China to support its military modernisation.

• In the medium to long term, the trend of US-China technology decoupling creates new market opportunities for Australian businesses, especially those in sectors that can support US (or Western) supply chain diversification. However, it also increases operational challenges and costs for those reliant on Chinese technology and components.
• Australian businesses should regularly examine their technology supply chains to consider whether their data or their systems may be exposed to China-related supply chain risks.

Australian cyber policy developments

October was a momentous month in Australian cyber policy as the government introduced the nation's first cyber security-focused bill. The bill is a major step towards Australia's 2023-2030 Cyber Security Strategy, putting in place four measures to facilitate no-fault threat intelligence sharing between the public and private sector and a framework to ensure smart devices are secure by design.

1. The first measure of the Cyber Security Bill 2024 would mandate the reporting of ransomware payments within 72 hours of payment, made by private, non-critical infrastructure organisations with annual revenue of more than $3 million. The government originally sought to ban ransomware payments last year but stepped back from this position following feedback from industry that there was insufficient government support and resources for businesses to make such a position tenable. By mandating the reporting of ransomware payments, the government is seeking to crystalize its picture of how much ransomware impacts Australian businesses, possibly with a view to banning ransomware payments in the future.
2. The second measure establishes a limited use obligation for the information provided in a cyber security incident. This ensures information disclosed in the process of managing an incident cannot be used as evidence in enforcement or civil proceedings. By limiting the use of this information, the Bill encourages businesses to engage with the government quickly and transparently during a cyber security incident without fear of repercussion, which will in turn assist the government to gain insights from cyber security incidents.
3. The third measure would establish a Cyber Incident Review Board, an independent advisory body to conduct no-fault post-incident reviews of significant cybersecurity incidents. The Optus, Medibank and MediSecure breaches were given as examples of applicable significant cybersecurity incidents. These incidents have a wide-ranging impact on regular Australian citizens so it is important the government can analyse the breaches without restraint to collect threat intelligence and prevent similar breaches occurring in the future.
4. Finally, the Cyber Security Bill 2024 will provide regulatory bodies the authority to mandate security standards for smart devices. Presently, smart devices are not subject to mandatory cyber security standards but are present in over five million Australian homes. This authority would assist the government towards achieving shields one and two of the Australian Cyber Security Strategy 2023-2030: Strong Businesses and Citizens and Safe Technology.

The bill is currently before the Parliamentary Joint Committee on Intelligence and Security with public submissions on the draft legislation having closed on Friday, 25 October 2024.

Australian cyber threat environment

In October, threat actors continued to demonstrate that they will target businesses regardless of size, with both critical infrastructure and small-medium Australian businesses under fire.

The Australian Signals Directorate (ASD) published a joint advisory with American and Canadian intelligence agencies warning of Iranian threat actors targeting critical infrastructure organisations.

• The threat actors were detected using brute force and Multi-Factor Authentication (MFA) fatigue attacks to breach networks. The advisory states the actor's end goal was to steal credentials and information pertaining to the victim's networks to sell to cyber criminals.
• Organisations can mitigate the risk posed by brute force and MFA fatigue attacks by enforcing phishing-resistant MFA for all sign-ins. Phishing-resistant MFA relies on techniques such as cryptographic keys or hardware tokens on the user's device that interact directly with trusted websites to confirm identity, thereby preventing accounts being accessed from unknown devices.

Three Australian organisations were listed as victims on a new ransomware operator's (Sarcoma) website in October: fresh produce wholesaler Perfection Fresh, plastic bag manufacturer the Plastic Bag Company and logistics firm Road Distribution Services. The three companies were listed alongside 27 other organisations in the ransomware operator's first post to the dark web. Perfection Fresh confirmed the breach and acquired an injunction to prevent any access, dissemination, or publication of data disclosed by any third party.

• The first injunction to prevent hackers from disseminating stolen data in Australia was granted to HWL Ebsworth earlier this year and since then this has become a common response from companies following a data breach.
• Although an injunction is unlikely to have practical effect on the actions of hackers, it can prevent further harm by restricting other online platforms from publishing the stolen data who have been notified or made aware of the orders. From a victim notification perspective, often victims only find out they are impacted by a breach due to third-party reporting, so it can be concerning when companies seek injunctions to prevent publication. This is unlikely to be the case here however as Perfection Fresh stated they had informed all impacted stakeholders.

Lastly, the Australian Department of Foreign Affairs and Trade published an advisory on the Democratic People's Republic of Korea's (DPRK) scheme to send thousands of highly skilled IT workers overseas to infiltrate companies and send money back to fund the DPRK's weapons program.

• The workers obfuscate their identities and target employers in more wealthy countries such as Australia and the United States.
• This advisory follows a number of public cases, where North Korean workers were hired as IT workers, and in some cases, used their access to steal company data for ransom. Mitigations listed in the DFAT advisory include careful scrutiny and vetting of candidates before employment.

International cyber threat environment

In the US, a Chinese state-sponsored hacking group, Salt Typhoon, reportedly targeted the networks of major U.S. telecommunications companies such as Verizon, AT&T, and Lumen, with a view to gaining access to sensitive information from court-authorised wiretapping systems, which US law enforcement uses (legally) to intercept communications.

• U.S. authorities suspect that Salt Typhoon exploited vulnerabilities in the systems for months, raising concerns about the confidentiality of wiretap requests. No firm details have yet emerged as to how the attack occurred and investigations have been launched by the Department of Homeland Security.

The Internet Archive, a non-profit digital library that preserves internet content for public access, experienced a major cyberattack. Hackers accessed usernames, email addresses, and encrypted passwords of about 31 million users. Following this, the site suffered a Distributed Denial of Service (DDoS) attack and a defacement, where a message taunted users about the Archive's vulnerabilities.

• The DDOS attack was claimed by a hacktivist group called BlackMeta, citing pro-Palestinian motives.
• The attack underscores the vulnerability of non-profit organisations to cyber threats and the significant impact such disruptions can have, given their essential role in serving public interests.

Russian hacking group IntelBroker breached Cisco's DevHub environment, a resource center that provides access to source code, scripts, and other tools for community and customer use.

• The hackers were allegedly able to access sensitive assets, including source code, API tokens, hardcoded credentials, encryption keys, and other confidential data.
• IntelBroker listed a number of international and Australian companies that had their production source code stolen, including Vodafone Australia and National Australia Bank. IntelBroker also published a full list of DevHub customers, which also included a wide range of Australian businesses.
• This attack underscores the importance of secure coding practices, particularly by ensuring credentials are never hardcoded within source code. It's equally essential to secure all public-facing assets rigorously, as these are often initial access points that can lead to more extensive network intrusions.
• Fortian recommends that if businesses have used Cisco's DevHub platform, immediately rotate any credentials, certificates, or API tokens stored there to safeguard against unauthorized access.