Don't pay the ransom, mate. Don't even fix a price, say Australia's cyber security bods

Better yet - do the basics and your systems won't get encrypted in the first place


Most online attacks could be easily avoided by following basic cyber security advice, Australia’s national cyber security bureau has said – even as it warned that the impact and severity of things like ransomware attacks are getting worse and worse.

“Cybercriminals follow the money,” said the Australian Cyber Security Centre (ACSC) in its annual report for 2019-20, published earlier this week.

“Over the past 12 months the ACSC has observed real-world impacts of ransomware incidents, which have typically originated from a user executing a file received as part of a spearphishing campaign,” said the agency, adding that after the initial breach attackers typically try to exploit remote desktop-type apps to hunt for anything worth stealing – or deleting.

beer taps

Australia's Lion brewery hit by second cyber attack as nation staggers under suspected Chinese digital assault

READ MORE

ACSC was busiest in April 2020, when it had 318 “cyber security incidents” reported to it.

Out of 2,266 incidents that the agency responded to over the 12-month period, 803 were targeted against Australia’s federal or state level governments – though the ACSC put this down to the public sector’s willingness to report incidents to it, as distinct from the private sector.

Most attacks can easily be mitigated, said ACSC, through “measures such as not responding to unsolicited emails and text messages, implementing multi-factor authentication and never providing another party with remote access to your computer.”

Those attacks include June’s cyber-assaults against the Lion brewery, which were remarkably closely timed as China stepped up diplomatic pressure on Australia over international cooperation.

“Many of these [attacks] could have been avoided or substantially mitigated by good cyber security practices,” sighed the ACSC in the report (PDF, 18 pages), which covered the months July 2019-June 2020.

The infoseccers strongly advised against paying the criminals:

Paying a ransom does not guarantee decryption of data. Open source reporting indicates several instances where an entity paid the ransom but the keys to decrypt the data were not provided. The ACSC has also seen cases where the ransom was paid, the decryption keys were provided, but the adversary came back a few months later and deployed ransomware again. The likelihood that an Australian organisations will be retargeted increases with every successful ransom payment. ...

It is generally much easier and safer to restore data from a backup than attempting to decrypt ransomware affected data.

While it won’t surprise regular Register readers to hear that ransomware is “one of the most significant threats” to online businesses in Aus (and beyond), the ACSC is already looking ahead at towards how 5G and increased digital connectivity across their nation will expose more and more people and businesses to the risks of being online.

5G networks and Internet of Things devices “require new thinking about how best to adopt them securely,” opined ACSC. Britain has published design standards for IoT devices, while on 5G the US has addressed potential vendor security problems by shutting out those they deem to be problematic vendors. ®

Broader topics


Other stories you might like

  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • Samsung fined $14 million for misleading smartphone water resistance claims
    Promoted phones as ready for a dunking – forgot to mention known problems with subsequent recharges

    Australia’s Competition and Consumer Commission has fined Samsung Electronics AU$14 million ($9.6 million) for making for misleading water resistance claims about 3.1 million smartphones.

    The Commission (ACCC) says that between 2016 and 2018 Samsung advertised its Galaxy S7, S7 Edge, A5, A7, S8, S8 Plus and Note 8 smartphones as capable of surviving short submersions in the sea or fresh water.

    As it happens The Register attended the Australian launch of the Note 8 and watched on in wonder as it survived a brief dunking and bubbles appeared to emerge from within the device. Your correspondent recalls Samsung claiming that the waterproofing reflected the aim of designing a phone that could handle Australia's outdoors lifestyle.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Russia, China warn US its cyber support of Ukraine has consequences
    Countries that accept US infosec help told they could pay a price too

    Russia and China have each warned the United States that the offensive cyber-ops it ran to support Ukraine were acts of aggression that invite reprisal.

    The US has acknowledged it assisted Ukraine to shore up its cyber defences, conducted information operations, and took offensive actions during Russia's illegal invasion.

    While many nations occasionally mention they possess offensive cyber-weapons and won't be afraid to use them, admissions they've been used are rare. US Cyber Command chief General Paul Nakasone's public remarks to that effect were therefore unusual.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022