Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Many businesses now have only 12 hours to report a cyberattack
Businesses across Australia must now report cyber incidents within 12 hours. The 8 July amendment to the Critical Infrastructure Bill means organisations in “critical asset classes” – which now includes sectors such as education, broadcasting, food and transport – have to report serious incidents within 12 hours of discovery or risk a minimum $11,100 fine.
The 12-hour limit applies to critical incidents such as ransomware attacks, with more minor incidents needing to be reported within 72 hours. The amendment represents a significant broadening of the act, which initially only covered gas, electricity, water and ports. Some analysts fear that many smaller businesses will be caught out by the amendment, which also includes provision for the Australian Signals Directorate to intervene in the most serious incidents. While the move may be disruptive for some organisations, it reflects the real and growing risk of attacks such as ransomware, with state-sponsored actors in particular eager to strike at critical infrastructure.
Hacker downloads almost 50,000 Deakin students’ data
The contact details – and recent academic results – of 46,980 students at Victoria’s Deakin University have been accessed by a hacker. The attacker obtained a staff member’s username and password from a third-party provider, and went on to launch a text-based phishing attack.
The attackers obtained names, student IDs, mobile numbers, email addresses and academic comments in the incident, which was discovered on 10 July. The hackers subsequently sent almost 10,000 students a text message claiming they needed to pay a customs fee on a parcel. Deakin is working with the Office of the Victorian Information Commissioner and has tasked a third-party provider with improving its cybersecurity.
The Australian education sector is one of the most targeted in the world, with attacks up nearly 20% year-on-year, and RMIT forced to suspend classes after an attack last year. Schools and universities should mix targeted awareness training with integrated products that can protect endpoints and improve detection to reduce the risk of damaging cyberattacks.
A hundred Australians and former MP among the billion affected by Chinese police hack
A hacker claims to have stolen one billion records from the Shanghai National Police. Over a hundred Australians, including an MP, have been caught up in the breach. The hacker named “ChinaDan” offered to sell the 23 terabytes of data on an online forum for 10 bitcoin ($200,000).
ChinaDan has posted three data sets (totalling 750,000 individual records) online, and the ABC has confirmed that at least a portion of the data is genuine, with one victim being a former Australian MP, who had called police in 2004 to report a theft from a car boot. However, China has not released a statement confirming the leak, and on social network Weibo the Chinese keywords “Shanghai database” and “data breach” have been banned since the incident. The attack is a reminder of the value of personal data on the dark web, but it may also have a political element, with some records covering police crackdowns on minorities such as Muslim Uyghurs and Falun Gong practitioners – and President Xi Jinping up for reelection later this year.
TikTok under fire as it admits Australian users’ data can be accessed from China
TikTok has confirmed that data from Australian users can be accessed by its Chinese workforce. “TikTok Australia has… admitted that Australian user data is also accessible in mainland China,” Tweeted Victoria Senator James Paterson, “ putting it within reach of the Chinese government, despite their previous assurances it was safe because it was stored in the US and Singapore.”
Recent research has shown that TikTok collects a significant amount of user data and aggressively ramps up its requests for user permissions. Its data policies aren’t unique, with many other apps equally intrusive. What’s arguably more worrying is the fact that it’s based in China, which has been associated with multiple state-backed cyberattacks and is involved in a trade war with Australia. Indeed, the investigation uncovered an unexplained connection to a server on the Chinese mainland. The Australian government may introduce regulations governing TikTok’s data policies, but in the meantime users should check their permissions settings and take basic steps to safeguard their data online.
Payment redirection scams hit Australian businesses for record-breaking $227 million
Australian organisations lost $227 million to payment redirection scams last year, says the Australian Competition and Consumer Commission (ACCC) in its annual report on scams. The figure represents a startling 77% rise on 2020’s data.
ACCC Deputy Chair Mick Keogh said that small businesses were hit hardest, with Business Email Compromise (BEC) the main vector. “The most common contact method scammers used against businesses was email,” he explained, “which is not surprising given the prevalence of payment redirection scams.” Keogh also said that initiatives followed elsewhere in the world, such as confirmation of payee, could limit the damage.
The bad news did not stop there: the report noted that Australians lost $701 million to investment scams last year, with cryptocurrency forming a big part in the rise. Social engineering threats take many forms; well-rounded cyber defences offer protection, and simply taking a moment to consider an unusual text or email can stop you being taken for a damaging ride.
Phishing campaign attacks 10,000 organisations in less than a year
A major phishing campaign has targeted 10,000 organisations around the world in the last ten months, according to Microsoft. The attackers use man-in-the-middle tactics, setting up a proxy between their victims and external websites. The attack is spread by emails that claim the target has a voicemail. HTML smuggling means that rather than opening an audio file, users are directed to a spoofed Azure landing page.
Business Email Compromise (BEC) may attract less headlines than the likes of ransomware, but this campaign shows why they can be so deadly. The spoofed landing page autofills victims’ email address and may feature company branding. If users enter their details they are redirected to legitimate pages, but with the attackers intercepting their credentials and cookies – which they can use to bypass Multi-Factor Authentication (MFA), take over their target’s email and launch payment fraud.
The announcement is another reminder that it pays to prepare for BEC, via frequent awareness training, bolstering email security and firewalls, using tools such as DMARC to prevent email spoofing and setting up network segmentation or zero trust to prevent attacks spreading.