#NSBCS.052 - ASD’s Annual Cyber Threat Report 2023-2024: Insights & Actions

Cyber Resilience
Written By Shane Bell

Source: NSB Cyber

 

ASD’s Annual Cyber Threat Report 2023-2024: Insights & Actions

The ASD released its 2023–24 Annual Cyber Threat Report, providing critical insights into the evolving cyber treat landscape in Australia. The report highlights the persistent and disruptive nature of cybercrime, with new technologies like AI reducing the level of sophistication needed for cybercriminals to operate and how state-sponsored cyber actors continue to target Australian governments, critical infrastructure and businesses.

Key findings:

  • Cybercrime Reporting: The ASD received over 87,400 cybercrime reports, averaging one every six minutes. While this represents a 7% decrease from the previous year, the volume remains significant. For individuals, identity fraud, online shopping fraud, and banking fraud were predominant. Businesses faced challenges primarily from email compromise and business email fraud.

  • Cost of Cybercrime: Small businesses experienced an 8% increase in costs, averaging $49,600 per report. In contrast, medium and large businesses reported reductions in losses, indicating varying impacts across business sizes.

  • Ransomware: Ransomware incidents accounted for 11% of reported cyber security incidents, marking a 3% increase from the previous year. Threat actors frequently employed data theft extortion and email fraud as significant tactics.

  • Vulnerabilities: There was a 31% increase in publicly reported vulnerabilities, underscoring the growing need for vigilant vulnerability management.

Recommendations:

To combat cyber threats, the ASD recommends individuals practise good cyber hygiene such as:

  • Enable multi-factor authentication (MFA) on all accounts, especially for sensitive services like banking and email.

  • Use long, unique passphrases that combine letters, numbers, and symbols for each account.

  • Ensure automatic updates are turned on and install new updates promptly to address vulnerabilities.

  • Regularly back up important files and device settings to external drives or secure cloud services.

  • Stay vigilant against phishing and scams by scrutinising unsolicited communications and avoiding suspicious links.

  • Sign up for ASD's free alert service to stay informed about emerging threats.

  • Report cybercrimes, cyber security incidents, and vulnerabilities through the ReportCyber platform at cyber.gov.au.

What do these recommendations mean for your organisation?

The ASD emphasises that critical infrastructure organisations should adopt a proactive stance, operating under the assumption that cyber security incidents are a matter of 'when' rather than 'if'. Developing and regularly testing an effective cyber security incident response plan is crucial to minimise disruption and ensure swift recovery. Cyber security requires continuous vigilance and adaptation; organisations must be prepared to respond promptly to evolving threats, embodying the principle of taking #NoStepsBackward.

For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.

What we read this week

  • DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials - The DEEPDATA malware, developed by the threat actor BrazenBamboo, exploits an unpatched vulnerability in Fortinet's FortiClient for Windows to extract virtual private network (VPN) credentials. This modular post-exploitation tool gathers extensive information from compromised Windows systems, including data from communication platforms like WhatsApp, Telegram, and Signal. Researchers at Volexity discovered that DEEPDATA uses a dynamic-link library (DLL) loader to decrypt and launch multiple plugins, one of which specifically targets FortiClient to capture VPN credentials. Despite Volexity reporting the flaw to Fortinet in July 2024, the vulnerability remains unpatched. This situation underscores the critical need for organisations to monitor and update their security measures to protect against such sophisticated cyber threats.

  • Linux Variant of Helldown Ransomware Targets VMware ESXi Systems - The Helldown ransomware group has introduced a Linux variant targeting VMware ESXi servers, compromising organisations across various sectors. Since its emergence in August, Helldown has claimed 31 victims, many based in the United States. Researchers at Sekoia suggest that the attackers may be exploiting undocumented vulnerabilities in Zyxel firewalls, which were used as IPsec VPN access points by several victims. Notably, Zyxel had previously addressed multiple vulnerabilities in its firewalls following a breach by Helldown in August, during which 250GB of data was leaked. The Helldown group's effective use of potentially undocumented vulnerabilities underscores the importance of promptly patching known flaws and monitoring for unusual activity, especially in virtualised environments.

  • New Ghost Tap attack abuses NFC mobile payments to steal money - Cybercriminals have developed a method called 'Ghost Tap' to exploit near field communication (NFC) mobile payment systems like Apple Pay and Google Pay, enabling unauthorised transactions by relaying stolen card data to money mules globally. Unlike previous attacks, Ghost Tap doesn't require physical access to the victim's card or device and operates without continuous victim interaction, making detection more challenging. The attack begins by stealing payment card details and intercepting one-time passwords (OTPs) necessary for enrolling cards into virtual wallets. Once enrolled, attackers can perform transactions remotely, with money mules using the virtual cards at Point of Sale (PoS) terminals worldwide. Security firm Threat Fabric has observed a recent increase in the use of this tactic, highlighting the evolving threats to mobile payment systems.

  • Windows Zero-Day Exploited by Russia Triggered With File Drag-and-Drop, Delete Actions - A recently patched Windows zero-day vulnerability, identified as CVE-2024-43451, has been exploited by suspected Russian threat actors targeting Ukrainian entities. This medium-severity flaw affects the MSHTM engine, which is utilised by applications operating in Internet Explorer mode, making them susceptible to security issues within the component. Exploitation can occur through minimal user interactions, such as deleting, right-clicking, or dragging and dropping a malicious file, leading to the theft of NTLMv2 hashes and enabling pass-the-hash attacks. The attackers employed phishing emails from a compromised Ukrainian government server, directing victims to malicious ZIP files containing a PDF and a URL file designed to exploit this and other vulnerabilities.

  • Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover - A critical vulnerability in the "Really Simple Security" WordPress plugin, affecting versions 9.0.0 to 9.1.1.1, has exposed over 4 million websites to potential administrative takeover. Discovered by Wordfence researchers, the flaw allows attackers to bypass authentication and gain access to any account, including administrator accounts, when two-factor authentication (2FA) is enabled. The issue stems from improper error handling in the plugin's REST API, particularly within the "check_login_and_get_user" function. Upon notification, the plugin's developers released a patched version, 9.1.2, on November 12, 2024, and subsequently initiated a forced update for all users. Administrators are advised to verify that their sites have been updated to the latest version to mitigate this significant security risk.

Shane Bell
Next

#NSBCS.051 - Caught in the Net: How to Stay Ahead of Phishing Attacks