Is Australia's data breach wave a coincidence, bad luck or intentional targeting? Maybe all three. But the security weaknesses that have led to the incidents are not exotic. Here's an analysis 🧵 #auspol#infosec#cybercrime@CyberGovAU@ClareONeilMP
None of intrusions are the result of indefensible exploits. The culprits are the usual suspects: an insecure API, compromised credentials, a failure to quickly patch, everyday account takeovers and bad development practices.
And the people behind these attacks are most likely workaday cybercriminals, not your top-level nation-state attackers. What follows is a breakdown of the breaches and incidents:
.@Optus: Someone discovers an unauthenticated API and then tries a ham-fisted, amateur extortion attempt. Experts have long warned of the danger of misconfigured APIs. Data haul: 10 million records, a third which have sensitive ID numbers.
.@medibank: Unfortunately, this feels like a pro ransomware/extortion group. Medibank says compromised credentials led to the intrusion. The problem: Weak identity and access controls. Data haul: Health and claims data plus basic bio data. It's a worst-case data theft scenario.
.@vinomofo: The online wine retailer says it used production customer data while running tests to upgrade its digital platform, a bad development practice. Then, 700,000 customer records turned up for sale on a Russian-language forum. This is workaday cybercrime.
.@mydealaustralia:This online marketplace run by Woolworths Group said compromised login credentials for its CRM system led to the breach. This data, 2.2 million records, appeared for sale on a forum for $600. Again, workaday cybercrime.
.@AMEBexams: AMEB says its online shop, which runs Adobe's e-commerce software, was attacked this month, causing a breach. It appears AMEB may have not acted fast enough after a patch for a XSS flaw with a CVSS score of 10 was released just a day before it was attacked.
(cont'd on @AMEBexams) Financial crime actors wait and pounce when these dangerous flaws become public. Verdict: Workaday cybercrime.
.@EnergyAustralia: The company said 323 residential and small business customers' accounts were taken over. Account takeovers are a problem for every online service provider. It doesn't appear it offers two-step verification on its accounts. *Workaday cybercrime, again.
All of the incidents are cybercriminals exploiting security weaknesses for profit. The security problems are common. The worry for Australia should be is that nation-state actors aren't going to be as obnoxious and public about their intrusions. #auspol#infosec
And post @Optus, they may very well see Australia as a soft target. If the workaday cybercriminals are having so much success now, Australia may be in for a rough run.
Australia's @medibank health insurer says compromised login credentials lead to its data breach. I spoke with a former Medibank employee whose login credentials turned up on the Dark Web in August. An interesting 🧵 #auspol#infosec@CyberGovAU@ClareONeilMP
For background, login credentials are constantly stolen, bought and sold. "Every org has creds for sale," says one source. @medibank is no different. At least a half dozen @medibank accounts were available for sale in August, according to @RESecurity. #infosec
I looked at the credentials and emailed some of the people. One responded last night, and we spoke on the phone. He was a part-time Covid support officer. @medibank policyholders would call in with Covid questions, and he said he would read Covid guidance from NSW's website.
Aussie data breach #5 (or is it #6?) is @AMEBexams, which is run by unis and several state gov'ts. Its e-commerce system breach coincides with a nasty XSS software vulnerability in Adobe Commerce/Magento: helpx.adobe.com/security/produ…#auspol#infosec
To recap, @AMEBexams says its AMEB online shop database was attacked between Oct. 12-18. Says transaction/credit card data at risk. Also names, emails, phone numbers, addresses were exposed and possibly before Oct. 12 as well: Notice here: ameb.edu.au/cybersecurity
In that notice, @AMEBexams writes: "Security solutions (patches) to defend against this type of attack have since been released by Adobe and applied to the AMEB website and shop."
If passed, max fines for Privacy Act violations will rise from $2.22 million to the greater of either $50 million, three times the benefit from misuse of info or 30% of a company's adjusted turnover.
"Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," says AG Mark Dreyfus.
Data available in an account includes name, address, email address, phone number, masked credit card numbers. No driver's licenses, passport or other ID details are in there, which is good of course.
Users now need to chose a password that's at least 12 characters, a lowercase letter, an uppercase letter, a number and a symbol. Also, the new password can't be any of the last four passwords.
Someone is claiming responsibility for the recent hack of MyDeal, the online marketplace owned by Aussie grocery Woolworths Group. The price for the data is at $600. CAUTION: I haven't verified the data yet or if this is legit. #infosec#auspol
To recap, Woolworths said on Friday that 2.2 million people were affected after its CRM system was accessed. For 1.2 million, only email was exposed. For the rest, names, email addresses, phone numbers, delivery addresses, sometimes birth dates. PR here: woolworthsgroup.com.au/au/en/media/la…
This is the first screenshot that the person claims is proof of access to MyDeal's AWS. Sean Senvirtne is the founder and CEO of MyDeal. Anyone have thoughts on what this may or may not show? #infosec
Here are some technical observations related to the Optus breach. This gets into the technical weeds, but it’s important for understanding how this breach may have happened. I’ll try to make it as comprehensible as possible. #optushack#auspol#infosec
Some information is based on public data. The analysis comes from information security experts, whom I appreciate reaching out to me. 😉
We know that the breach occurred because the Optus hacker abused an application programming interface (API) which was api[dot]optus.com.au. As we know, that API was left open on the internet.