Is Australia's data breach wave a coincidence, bad luck or intentional targeting? Maybe all three. But the security weaknesses that have led to the incidents are not exotic. Here's an analysis 🧵 #auspol #infosec #cybercrime @CyberGovAU @ClareONeilMP
None of intrusions are the result of indefensible exploits. The culprits are the usual suspects: an insecure API, compromised credentials, a failure to quickly patch, everyday account takeovers and bad development practices.
And the people behind these attacks are most likely workaday cybercriminals, not your top-level nation-state attackers. What follows is a breakdown of the breaches and incidents:
.@Optus: Someone discovers an unauthenticated API and then tries a ham-fisted, amateur extortion attempt. Experts have long warned of the danger of misconfigured APIs. Data haul: 10 million records, a third which have sensitive ID numbers.
.@medibank: Unfortunately, this feels like a pro ransomware/extortion group. Medibank says compromised credentials led to the intrusion. The problem: Weak identity and access controls. Data haul: Health and claims data plus basic bio data. It's a worst-case data theft scenario.
.@vinomofo: The online wine retailer says it used production customer data while running tests to upgrade its digital platform, a bad development practice. Then, 700,000 customer records turned up for sale on a Russian-language forum. This is workaday cybercrime.
.@mydealaustralia:This online marketplace run by Woolworths Group said compromised login credentials for its CRM system led to the breach. This data, 2.2 million records, appeared for sale on a forum for $600. Again, workaday cybercrime.
.@AMEBexams: AMEB says its online shop, which runs Adobe's e-commerce software, was attacked this month, causing a breach. It appears AMEB may have not acted fast enough after a patch for a XSS flaw with a CVSS score of 10 was released just a day before it was attacked.
(cont'd on @AMEBexams) Financial crime actors wait and pounce when these dangerous flaws become public. Verdict: Workaday cybercrime.
.@EnergyAustralia: The company said 323 residential and small business customers' accounts were taken over. Account takeovers are a problem for every online service provider. It doesn't appear it offers two-step verification on its accounts. *Workaday cybercrime, again.
All of the incidents are cybercriminals exploiting security weaknesses for profit. The security problems are common. The worry for Australia should be is that nation-state actors aren't going to be as obnoxious and public about their intrusions. #auspol #infosec
And post @Optus, they may very well see Australia as a soft target. If the workaday cybercriminals are having so much success now, Australia may be in for a rough run.
*The phrase "workaday cybercrime" shamelessly borrowed from @riskybusiness and @Metlstorm.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
