#NSBCS.017 - The Responsibility Within: Prioritising Domestic Cybersecurity for a Safer Australia
Source: NSB Cyber
The Responsibility Within: Prioritising Domestic Cybersecurity for a Safer Australia
Australia's growing dependence on social media platforms like TikTok, owned by Chinese company ByteDance, raises concerns about user data collection practices and the potential for foreign access. While these concerns are valid, it is crucial to acknowledge the equally pressing data security issues of note within our own borders. Most notably, the recent revelation of over 11,000 cyber incidents linked to the Medibank data breach during 2022 serves as a stark reminder of the very real dangers posed by malicious actors operating right here in Australia.
Victorian Police, through its Operation Guardian, has identified over 11,000 cyber incidents linked directly to the Medibank data breach (Reference). Operation Guardian unites the Australian Federal Police (AFP), state and territory police forces, the Australian Cyber Security Centre (ACSC), banking associations, and identity protection organisations. It was originally launched in response to the Optus data breach, but has grown to encompass the Medibank incident.
Operation Guardian relies on matching stolen Personally Identifiable Information (PII) from the Medibank breach with reports submitted to ReportCyber, Australia's national online portal for cybercrime incidents. This approach helps identify instances where stolen data may be misused.
The specific nature of the 11,000 cyber incidents linked to the 2022 Medibank data breach remains unclear. These incidents could involve:
Identity Theft: Criminals attempting to use stolen personal information to open new accounts, obtain credit cards, or impersonate victims for financial gain.
Phishing Attacks: Malicious actors using stolen data to personalise phishing emails, tricking individuals into revealing additional sensitive information.
Social Engineering: Stolen data can be used for targeted spam campaigns or social engineering attempts to manipulate victims into disclosing sensitive details.
While the investigation progresses, here's what individuals who were Medibank customers in 2022 can do to protect themselves:
Monitor Financial Statements and Credit Reports: Closely monitor bank accounts and credit card statements for any unauthorised activity. Consider requesting a free credit report to identify any suspicious inquiries or accounts opened in your name.
Be Wary of Unsolicited Communication: Remain cautious of unsolicited emails, calls, or messages claiming to be from Medibank or other institutions. Don't click on suspicious links or attachments, and never share personal information unless you can confirm the legitimacy of the request.
Enable Strong Passwords and MFA: Use strong, unique passwords for all online accounts, especially those containing sensitive information. Whenever possible, enable Multi-Factor Authentication (MFA) for an extra layer of security.
By following these recommendations and staying vigilant, individuals and Australia as a whole, can minimise the potential risks associated with the Medibank data breach. The Australian authorities' investigation into the linked cyber incidents underscores the importance of robust data security practices and highlights the ongoing challenges of mitigating the fallout from such large-scale data breaches. Focusing immediate efforts on bolstering domestic data security practices and holding local companies accountable for safeguarding information should be top priority. International data concerns can certainly be addressed, but for now, efforts should be concentrated on fortifying defences against the harmful threats that are actively impacting Australians and their personal information. By prioritising domestic data security, organisations and individuals can take #NoStepsBackward and create a more secure digital landscape for Australia.
For information on NSB Cyber’s capabilities or to book a meeting with our team, click here.
What we read this week
Switzerland: Play ransomware leaked 65,000 government documents - The National Cyber Security Centre (NCSC) of Switzerland released a report analysing a data breach following a ransomware attack on Xplain, a technology and software solutions provider for various government departments. The attack, perpetrated by the Play ransomware gang in May 2023, resulted in the leak of approximately 65,000 government documents. The investigation into the leaked data is ongoing due to the large volume and unstructured nature of the files. Swiss authorities are prioritising identifying documents relevant to the Federal Administration. Out of roughly 1.3 million files published by Play ransomware, about 5% (around 65,000 documents) are relevant to the Swiss government.
Password pirates are after PetSmart accounts - PetSmart, a leading retailer of pet supplies and services in the United States, is taking proactive steps to protect its customers after detecting an increase in password-guessing attacks on their website, petsmart.com. Internal security tools identified a rise in credential stuffing attempts, where hackers use stolen usernames and passwords from other breaches to try gaining unauthorised access to PetSmart accounts. While there's no evidence that any systems were compromised, PetSmart prioritised customer security by deactivating potentially impacted accounts. Affected customers received a notification prompting them to reset their passwords.
Raft of Australian companies compromised in hosting service hack - A recent cyberattack by the Black Basta ransomware gang has targeted a cloud-based hosting service, compromising the data of nearly a dozen Australian companies. The attackers have publicly posted dozens of Australian passports and driver's licenses, most likely obtained from the breached systems. Black Basta is claiming to have about 700 gigabytes of data including account details and financial data. The group has subsequently published 100% of the claimed exfiltrated data onto their blog.
Critical TeamCity flaw now widely exploited to create admin accounts - There has been recent reports of security alerts regarding a critical vulnerability tracked as CVE-2024-27198 being actively exploited in JetBrains' TeamCity on-premises software. This flaw allows attackers to bypass authentication and potentially gain complete control over vulnerable TeamCity servers. The critical security flaw resides in TeamCity's authentication process and malicious actors can exploit it to create new administrator accounts or generate administrator access tokens, granting them full control over the server, including remote code execution capabilities. LeakIX, a search engine for exposed device vulnerabilities, estimates over 1,700 TeamCity servers remain unpatched, primarily located in Germany, the United States, and Russia.
Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets - Microsoft confirmed that a Kremlin-backed threat actor group known as Midnight Blizzard (APT29) gained unauthorised access to some of their internal systems and source code repositories. This attack came to light in January 2024, and Microsoft has been investigating its extent ever since. While the specific details of the initial compromise haven't been disclosed, Microsoft acknowledges that the attackers leveraged information stolen from corporate email systems earlier in January, and this likely played a role in gaining unauthorised access to internal systems. Microsoft emphasises that, as of now, they haven't found evidence that customer-facing systems were compromised during this attack, however, the investigation is ongoing.
Referenceshttps://www.bleepingcomputer.com/news/security/switzerland-play-ransomware-leaked-65-000-government-documents/
https://cybernews.com/news/password-pirates-after-petsmart-accounts/
https://www.cyberdaily.au/security/10276-raft-of-australian-companies-compromised-in-hosting-service-hack
https://www.bleepingcomputer.com/news/security/critical-teamcity-flaw-now-widely-exploited-to-create-admin-accounts/
https://thehackernews.com/2024/03/microsoft-confirms-russian-hackers.html