News and events related to the ACSC.
On Friday 1 June 2018 PageUp Limited, an online recruitment services organisation, notified their customers about a data incident in relation to the integrity of their systems – proactively informing of a possible breach. Read more
New US Malware Analysis Report on North Korean state-sponsored actors
The US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) have released a new report covering technical details on the tools and infrastructure used by North Korean state-sponsored cyber actors. This is the latest in a series of Malware Analysis Reports relating to activity by North Korea.
The Australian Cyber Security Centre is sharing this information to enable network defenders to identify and reduce exposure to the persistent threat of criminal and state-sponsored cyber actors.
Visit the US-CERT website to review the most recent and previous Malware Analysis Reports related to this activity.
If you identify any of the techniques detailed in the reports in your environment, you should to report this to the ACSC.
Protect your devices against VPNFilter malware
The ACSC is alerting Australian users to be aware of VPNFilter malware, which is known to effect networking equipment including Linksys, MikroTik, Netgear and TP-Link, as well as QNAP network-attached storage (NAS) devices. Once a malicious actor compromises a device using VPNFilter malware, they are able to collect network traffic (including website credentials) traversing the device. Importantly, the malware can also be used to disable the device.
The ACSC recommends that Australian users of these devices take the following actions to protect themselves against this activity:
- Update your network devices to the latest available version of firmware. Updates are typically not automatic and users should visit the manufacturers’ website for specific information on how to apply updates.
- Disable network device management interfaces, such as Telnet, SSH, Winbox and HTTP/S, on WAN interfaces. If you require remote management of the router, ensure you use a complex password and a protocol that supports encrypted remote connections, such as SSH and HTTPS.
- Remember to change your router default log-in password during the initial setup.
The ACSC also encourages users and administrators to review the Cisco blog post on VPNFilter for additional information on the VPNFilter malware.
New European Union General Data Protection Regulations
This Friday, 25 May 2018, the new European Union (EU) General Data Protection Regulations (GDPR) will come into effect.
Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) may also need to comply with the GDPR if they offer goods and services in the EU or monitor the behaviour of individuals in the EU.
Australian businesses should determine whether they need to comply with the GDPR and, if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.
The following resources may assist Australian businesses to assess whether they are covered by the GDPR and the steps to be taken to comply:
- European Commission: Reform of EU data protection rules
- UK ICO: Guide to the General Data Protection Regulation (GDPR)
- European Commission: Article 29 working group GDPR guidance (coming soon – monitor the European Commission guidelines for new publications)
The Office of the Australian Information Commissioner has also prepared a useful GDPR fact sheet for Australian businesses.
New Chrome updates to highlight website security
In September 2018, Google will release an update of the Chrome web browser (Chrome 69). This will include a change so that websites secured using HTTPS will no longer be marked as ‘secure’. According to Google, this is because the company believes that the web should be secure by default.
Then, in the Chrome 70 update due in October 2018, Google plans to include a change so that websites that don’t use HTTPS will have the words ‘not secure’ displayed next to the website’s address.
HTTPS is like the normal HTTP protocol which is used to send information over the web, but it includes encryption for added security and privacy. HTTPS is designed to:
- ensure you are communicating with the website you intended to communicate with
- prevent anyone from modifying or observing content sent between web browsers and web servers.
A website that uses HTTP instead of HTTPS isn’t necessarily insecure. However, if you are providing personal or financial information, you should always look for a HTTPS connection.
Do not be alarmed if government or business websites are no longer marked as ‘secure’ when you are using Google Chrome. Check for ‘https’ at the start of website addresses to find out if the website is secured using HTTPS. Alternatively, you can use other web browsers (such as Microsoft Edge or Mozilla Firefox) to determine if the website is secure.
For more information, visit the Google Security Blog.
Reports of processor vulnerabilities
The ACSC is aware of reporting of processor vulnerabilities. The ACSC recommends:
- Assess your system to determine whether you are operating any of the affected CPUs.
- Stay attuned to advice released by CPU manufacturers and operating system vendors addressing CPU vulnerabilities.
- Patch your system as soon as the vendor makes them available.
- ACSC will keep watch for details of the vulnerability and provide updated advice once more information is known.
Routers targeted - Cisco Smart Install feature continues to be targeted by Russian state-sponsored actors
Russian state-sponsored actors are responsible for activity targeting Cisco devices using the Smart Install feature worldwide, including Australia.
Cisco have published several documents describing actions required in order to secure the Smart Install feature, which have been consolidated into a single document, Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature.
The ACSC has previously released guidance on cyber adversaries targeting this feature to extract configuration files from routers and switches of a number of Australian organisations.
Preventing malicious activity
Organisations are advised to identify Cisco devices running Smart Install within their networks, evaluate the need of running this feature, and remove or secure the feature as required. Both the ACSC and Cisco documentation contain details on how to accomplish this.
- Australian Government Minister for Law Enforcement and Cyber Security media release: Australian Government attribution of cyber incident to Russia
- UK NCSC Advisory: Russian state-sponsored cyber actors targeting network infrastructure devices
- UK NCSC: Joint US-UK statement on malicious cyber activity carried out by Russian government
- US CERT: Joint US-UK Technical Alert TA18-106A
Microsoft cloud services certified
The Australian Government has certified Microsoft's cloud services for use by government agencies to host Protected data.
Minister for Law Enforcement and Cyber Security Angus Taylor said awarding the Protected certification to Microsoft will accelerate the adoption of cloud technology by Commonwealth, State and Territory governments.
Cloud storage and sharing services are extremely useful, convenient and popular with users from individuals up to large businesses and governments. However, cloud computing providers offer varying levels of security.
To respond to potential cloud-related threats, the government released a Secure Cloud Strategy in February 2018 and is reforming its cloud certification capability, including appointing a new senior officer responsible within the ACSC.
For more information, see Minister Taylor's media release.
Vulnerability in the Drupal content management system
The ACSC has become aware of a critical vulnerability in the Drupal content management system. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Drupal assesses this vulnerability as critical. If you are using a version of Drupal prior to 7.58 or 8.51, the ACSC recommends that you upgrade immediately as per Drupal's advice.
Further information can be found at Drupal Security Advisories: Remote Code Execution - SA-CORE-2018-002.
Scam calls claiming to be from ACSC
Telephone scams, where people pretend to be from a reputable organisation to try to get access to your computer, are a constant threat. The Australian Cyber Security Centre (ACSC) has become aware of a new scam where people who call pretend to be from the ACSC or high-profile businesses calling on behalf of the ACSC. The scammers try to convince members of the public that their computers are compromised. These scammers then try to coax the victim into actions that could actually compromise their computers or reveal bank information.
The scammers ask the victims to enter a URL in their web browser and/or provide their bank account details to transfer money, supposedly to prove whether the victim has been hacked.
The ACSC will never contact you by phone to request access to your computer, ask you to install software or request financial information.
ACSC partners with haveibeenpwned.com
The Australian Cyber Security Centre (ACSC) is pleased to announce our partnership with Troy Hunt, founder of the website haveibeenpwned.com. The ACSC will be working in collaboration with Mr Hunt, using the additional data received from haveibeenpwned.com, to monitor Australian Government domains found in public third party data breaches.
From 26 March 2018, the ACSC will be receiving notifications from Mr Hunt when Australian Government domains are found in public third party data breaches. These notifications will be triaged and addressed by the ACSC to allow a more efficient cyber response to the threats posed by third party data breaches.
The ACSC has become aware of an unauthorised cryptocurrency miner inserted in the BrowseAloud website plugin made by Texthelp. If organisations are using this plugin the ACSC advises your internal networks and websites are not at risk of compromise. The ACSC recommends organisations review their use of third-party website plugins and where applicable consider implementing appropriate security controls. Read more
The ACSC has become aware of a change in the threat situation surrounding the recently announced Cisco ASA critical remote code execution vulnerability. Proof of concept code is now available which results in a denial of service condition on targeted vulnerable devices.
Cisco first released a security advisory on 29 January detailing the vulnerability and affected devices but has since identified additional attack vectors and released additional, more comprehensive patches. Read more
Security researchers have developed methods involving speculative execution to read kernel memory from user space on a variety of processors. These methods have been referred to as 'Meltdown' and 'Spectre'.
Intel has confirmed that the microcode updates designed to mitigate Spectre variant 2 have introduced an increased risk of system instability, data loss and corruption. Intel has released an advisory recommending that users cease deployment of the current microcode update. Read more
The ACSC is aware of reporting that devices with Intel Active Management Technology (AMT) have an insecure default behaviour that could allow an attacker to bypass security controls on the device. Read more
Security researchers have developed methods involving speculative execution to read kernel memory from user space on a variety of processors from a range of vendors produced in the last decade. At this point there is no indication that the reported flaws are being actively exploited by malicious cyber actors. Read more
Increase in ransomware campaigns impacting organisations globally
The ACSC is aware of an increase in ransomware campaigns impacting organisations globally. Ransomware is malicious software that makes data or systems unusable until the victim makes a payment.
The mitigations for ransomware are well known, criminals do not discriminate, and no organisation should be unprepared for when it hits them.
- Patch/update all software and operating systems immediately.
- Ensure that your data is backed up regularly and that offline and/or offsite backups are available.
- Ensure your antivirus software is up-to-date.
- Organisations and individuals should not pay the ransom. There is no guarantee that paying the ransom will recover the affected data or systems, and it could make you vulnerable to further attacks. Restore your files from backup and seek technical advice.
Organisations can minimise the risk of cyber security incidents including ransomware attacks by following the Australian Signal Directorate's Strategies to Mitigate Cyber Security Incidents. Further ASD advice, such as the Essential Eight Explained, Detecting Socially-Engineered Emails, Restricting Administrative Privileges and Implementing Application Whitelisting, is available from the ASD Publications page.
Wi-Fi protocol vulnerabilities
Researchers have identified security vulnerabilities in the Wi-Fi WPA2 protocol which may make all Wi-Fi enabled devices, such as mobiles, computers and internet routers, vulnerable to malicious actors stealing sensitive information such as credit card numbers, passwords and emails. Read more
ACSC releases 2017 threat report
ACSC releases ACSC Threat Report 2017 (PDF). The last year has again demonstrated the growing public appetite to understand and defend against the evolving cyber threats facing Australia. High profile incidents of cybercrime have exemplified the speed with which cyber threats can propagate globally, how rapidly adversaries can adapt to security responses, and how easily a compromise can impact an organisation’s core functions or services.
'BlueBourne' Bluetooth vulnerability
The Australian Government, through the Australian Cyber Security Centre, is aware of a reported Bluetooth vulnerability which is being referred to in the media as 'BlueBourne'.
Bluetooth is a wireless data transfer service, widely available on smart phones, tablets and other consumer devices to provide a range of functions.
The vulnerabilities reported are concerning; however, at this stage, the Australian Cyber Security Centre is not aware that the vulnerability is being exploited.
Vendors are aware of the issue and are working on updates to fix the vulnerabilities.
The Australian Cyber Security Centre recommends that all users apply the latest software security updates to their devices.
Device owners should consider disabling services like Bluetooth on their devices where it is not required.
The ACSC is aware that cyber adversaries are extracting configuration files from the routers and switches of a number of Australian organisations. We have no evidence at this stage to suggest that home users are directly impacted by this threat. Read more
ASD releases Essential Eight Maturity Model
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective mitigation strategies for targeted cyber intrusions and ransomware are known as the Essential Eight.
To assist organisations in understanding the maturity of their cyber security posture, ASD has produced the Essential Eight Maturity Model, to be used as a handy tool for self-assessment.
The maturity model provides succinct and specific guidance to address the broad range of cyber threats faced by governments and businesses alike.
The ACSC is aware of a global ransomware campaign, Petya. Read more
Microsoft's June 2017 security update addresses multiple critical vulnerabilities in Windows operating systems. Due to an increased threat of exploitation based on recent attacks and disclosures, Microsoft has released security updates for older platforms as well, including Windows XP. In particular, this update fixes previously unpatched vulnerabilities employed by the ENGLISHMANDENTIST, ESTEEMAUDIT and EXPLODINGCAN exploits, details of which were published by the Shadow Brokers earlier this year. Read more
Update on WannaCry ransomware campaign
The ACSC is aware of a large-scale ransomware campaign impacting many organisations globally, including the UK's National Health Service. The campaign has various names including 'WannaCry', 'WanaCryt0r', 'WanaCrypt', 'WanaDecryptor', 'WanaCry' or 'Wana'.
The ransomware leverages publicly-known vulnerabilities in Microsoft Windows, patched by Microsoft in March this year (Microsoft Security Bulletin MS17-010). Additionally, Microsoft has released patches for older, unsupported Microsoft operating systems on 13 May 2017. If you are running older systems, these patches should be applied immediately.
Individuals and organisations across Australia have been taking active steps to protect their networks over the weekend. However, there are a small number of confirmed cases affecting Australian small businesses.
While the spread of the ransomware appears to have temporarily slowed, it is still critical that businesses and individuals patch the operating systems on their computers.
The Australian Cyber Security Centre has advised that if you are affected by the WannaCry ransomware incident you should contact your service provider immediately. Small businesses can contact ACORN (Australian Cybercrime Online Reporting Network); larger businesses are advised to follow their normal procedures.
We are also advising that businesses need to patch their Microsoft Windows systems immediately and confirm that their backups are available and working. You will also need to make sure your antivirus software is up-to-date.
If you do not have back-ups in place you can arrange to use an off-site backup service. This is good practice for all users.
Information on the ACSC website will continue to be updated. Updates are also available on the Stay Smart Online website, Facebook page and Twitter account.
These sites will be updated throughout the coming days as new information becomes available.
The ACSC is aware of a large-scale ransomware campaign that is impacting many organisations globally. Read more
ACSC 2016 Cyber Security Survey released
The 2016 Australian Cyber Security Centre Survey (PDF) validates our understanding of the unrelenting and increasingly sophisticated cyber threat that we face every day. It confirms that many Australian organisations are experiencing some form of attempted or successful cyber security compromise, and that some are being targeted up to hundreds of times per day.
The survey provides some key areas for future focus, collaboration and investment across industry and government.
Managed Service Providers have been targeted in a global cyber campaign since at least mid-2016. This includes some companies that also operate in Australia. Read more
ACSC releases 2016 threat report
This is the second ACSC Threat Report. The ACSC Threat Report 2016 (PDF) continues to reflect the experience, focus and mandates of the ACSC's member organisations. This report provides an insight into what the centre has been seeing, learning, and responding to, focusing on specific areas of change or new knowledge obtained.
New Cyber Security Strategy
Today the Prime Minister released Australia's Cyber Security Strategy.
The Cyber Security Strategy sets out the Australian Government’s philosophy and program for meeting the dual challenges of the digital age – advancing and protecting our interests online.
Strong cyber security is a fundamental element of our growth and prosperity in a global economy. It is also vital for our national security. It requires partnership involving governments, the private sector and the community.
Scam alert: HR departments targeted for sensitive employee details
ACSC partner agency CERT Australia is aware that, over the past two months, at least three major international organisations have been targeted by a new phishing scam that seeks to expose sensitive employee information.
The phishing email, which appears to be from the CEO or executive of an organisation, is sent to the Human Resources (HR) department, requesting the organisation's personnel details.
The scam presents a significant risk to employee's personal information as personnel data contains names, addresses, wages, tax file numbers and health care information that could be used for identity theft or tax fraud.
Although there have not been any reported instances of the scam in Australia, it is highly likely Australian businesses will be targeted in the future. In order to protect your organisation and employees against these attacks, CERT Australia recommends:
- inform your HR and payroll staff of the scam and encourage employees to remain vigilant with regard to bulk requests for staff information
- remain wary of the information that is posted to social media and company websites which can be abused, including job descriptions, organisation structures and out-of-office information
- ignore unsolicited or spam emails and forward them for review by your IT security team
- ensure your email security is set to prevent sender address forgery (more information to implement this can be found in the ASD publication Mitigating Spoofed Emails - Sender Policy Framework (SPF) Explained)
- report identified activity to CERT Australia.
Mailicious ransomware email campaign
The ACSC is aware of a large-scale email phishing campaign that appears to be from the Austrailan Federal Police, instructing recipients to pay a traffic infringement notice. The same scam also occurred in July 2015. The web link is typically associated with encrypting ransomware.
Should you receive a suspicious email, delete it. Do not click on the link or open any attachments, and do not make any payments. If you have clicked any links or attachments, please report this to your organisation's IT security section.
We encourage you to report it to Scam Watch.
ACSC and CERT publish 2015 Cyber Security Survey: Major Australian Businesses
The 2015 Cyber Security Survey: Major Australian Businesses industry data was collected from businesses that partner with CERT Australia. These businesses underpin the social and economic welfare of Australia by delivering essential services such as banking and finance, defence industry providers, communications, energy, resources, transport and water.
The findings provide a snapshot of the cyber security measures that major Australian businesses have in place, the types of cyber incidents they have faced and the threats that concern them the most.
ACSC publishes Web Shells - Threat Advice and Guidance
Web shells can be used to leverage unauthorised access and can lead to wider network compromise. Web Shells - Threat Advice and Guidance outlines the threat and provides prevention, detection and mitigation strategies. This product was developed in collaboration with ACSC partners in the United Kingdom, United States, Canada and New Zealand.
Unauthorised publication of personal information via social media
ACSC is aware of leaks of personally-identifiable information, including that of Australian citizens, by a group calling itself the Islamic State Hacking Division.
There is no evidence to suggest the leaked information is a result of any compromise of Australian-based systems or networks. ACSC is working with the organisations of the individuals identified in the leaks to identify and address any potential cyber security concerns. ACSC will support the broader law enforcement and intelligence community to understand and address this issue.
The unauthorised material published this week is likely to have been compromised from a public website. Affected individuals have used work email addresses to conduct private online activity, including providing personally-identifiable information.
Public websites are frequently targeted by malicious hackers and the compromise of personal information provided to these websites will continue to occur. To minimise the threat to you and your organisation, ACSC recommends you follow the advice provided by:
- Stay Smart Online
- Australian Signals Directorate Top Security Tips for the Home User
- US Computer Emergency Response Team Tips
If you believe your identity or personal information has been compromised online, you should report the activity through the Australian Cybercrime Online Reporting Network (ACORN).
Security researchers have uncovered vulnerabilities in a multimedia processing library that can expose devices running the Android operating system to malicious cyber activity.
More information and mitigation guidance is available from US CERT: Android Stagefright contains multiple vulnerabilities.
Users can also seek specific advice from their device manufacturer or telecommunications service provider.
ACSC releases first ever public national cyber threat report
ACSC releases first ever public national cyber threat report (PDF): New ACSC Co-ordinator Clive Lines said that the ACSC Threat Report 2015 (PDF) clearly demonstrates that the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. (Media release, July 2015)
New wave of ransomware targeting Australians
The ACSC has observed a new wave of Australia Post parcel collection and Australian Federal Police infringement notice themed ransomware emails targeting Australian governments, private industry and the public.
This activity appears to be a continuation of previous encrypting ransomware campaigns reported by the ACSC.
The ACSC advises organisations to be vigilant and adopt the recommendations detailed below to protect their systems and data.
Emails within this campaign are sent from multiple domains appearing to be from Australia Post or the Australian Federal Police. They typically contain a link to a malicious page that downloads an archived file that contains an executable (.exe). Multiple archive formats have been observed, including .zip, .rar and .7z files. Additionally, Microsoft Office documents containing macros that download the ransomware from file-sharing services have have been observed. Once executed, the ransomware encrypts the users' files, including those on networked or shared drives, making them inaccessible to the user until a ransom is paid. Please note that other domains and themes have also been associated with this significant campaign.
- The size of this campaign and continual use of new domains has reduced the effectiveness of domain blocking as a long-term solution. A more effective long-term solution is the implementation of the Australian Signal Directorate's Top 4 Strategies to Mitigate Targeted Cyber Intrusions, in particular, application whitelisting.
- End users should continue to remain vigilant when opening emails containing links, even if they appear to be from a legitimate Australian government or business domain.
- Ensure antivirus and other detection products are up-to-date.
- Perform regular backups of data.
- Do not pay the ransom if your system is affected.
- Organisations may wish to consider running an education campaign for their staff regarding phishing emails in order to heighten user awareness. This training should include instruction on how users can report unusual or suspicious emails to their IT security team.
Organisations that become aware of illegitimate domains masquerading as part of their agency should engage with the hosting company and law enforcement to have the domain taken down.
In the short term, large organisations that are affected can notify potential users via a post on their website and the Australian Government's ScamWatch website.
Members of the public and small business can report ransomware at the ACORN website.
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.
Australian Government Cyber Security Review
The Prime Minister chaired Australia's first Cyber Security Summit with chief executive officers and chairmen on 8 July 2015 in Sydney. Over the past six months, the Cyber Security Review team has met with more than 180 organisations. This period of consultation and the summit will help shape the Australian Government's new Cyber Security Strategy.
Certified cloud services
An IRAP Assessment has been completed for several outsourced cloud computing services and certification awarded by the Australian Signals Directorate located within the ACSC.
The rigorous and detailed certification process for cloud service providers will help to give public sector users confidence in making the transition to new technologies and services.
The ACSC is pleased to be working in partnership with industry to ensure that there are a range of providers who can independently demonstrate that they meet the security needs of government in the cloud space.
While certification will assist organisations to understand the information security risks when contracting cloud computing services, organisations are urged to perform due diligence reviews of the financial, privacy, data ownership, data sovereignty and legal risks associated with contracting cloud computing services.
The list of providers and more information is available at ASD Certified Cloud Services.
Australian Cyber Security Centre Conference 2015
Partnering for a Cyber Secure Australia (PDF): ACSC co-ordinator's speech to the ACSC Conference 2015, Canberra, 22 April 2015
Social media account compromise
There has been recent media reporting around social media accounts being compromised and defaced. This is a growing occurrence, so it pays for organisations to be aware and build cyber resilience.
Organisations that suspect their social media accounts have been compromised should:
- Report the suspected compromise to the social media provider.
- Reset the account password.
- Contact the support services of the social media provider for information on securing their account.
Additional information on the use of social media can be found in ASD Protect Notice Security Tips for the Use of Social Media Websites.
New cyber security campaign focuses on everyday Australians
New cyber security campaign focuses on everyday Australians (PDF) (Media release, February 2015)
Associated content: ACORN, ACSC YouTube Channel
New choice for reporting cyber security incidents
New choice for Australian business and government to report cyber security incidents (PDF) (Media release, December 2014)