Jeremy Kirk Profile picture
Oct 24 13 tweets 5 min read
Is Australia's data breach wave a coincidence, bad luck or intentional targeting? Maybe all three. But the security weaknesses that have led to the incidents are not exotic. Here's an analysis 🧵 #auspol #infosec #cybercrime @CyberGovAU @ClareONeilMP
None of intrusions are the result of indefensible exploits. The culprits are the usual suspects: an insecure API, compromised credentials, a failure to quickly patch, everyday account takeovers and bad development practices.
And the people behind these attacks are most likely workaday cybercriminals, not your top-level nation-state attackers. What follows is a breakdown of the breaches and incidents:
.@Optus: Someone discovers an unauthenticated API and then tries a ham-fisted, amateur extortion attempt. Experts have long warned of the danger of misconfigured APIs. Data haul: 10 million records, a third which have sensitive ID numbers.
.@medibank: Unfortunately, this feels like a pro ransomware/extortion group. Medibank says compromised credentials led to the intrusion. The problem: Weak identity and access controls. Data haul: Health and claims data plus basic bio data. It's a worst-case data theft scenario.
.@vinomofo: The online wine retailer says it used production customer data while running tests to upgrade its digital platform, a bad development practice. Then, 700,000 customer records turned up for sale on a Russian-language forum. This is workaday cybercrime.
.@mydealaustralia:This online marketplace run by Woolworths Group said compromised login credentials for its CRM system led to the breach. This data, 2.2 million records, appeared for sale on a forum for $600. Again, workaday cybercrime.
.@AMEBexams: AMEB says its online shop, which runs Adobe's e-commerce software, was attacked this month, causing a breach. It appears AMEB may have not acted fast enough after a patch for a XSS flaw with a CVSS score of 10 was released just a day before it was attacked.
(cont'd on @AMEBexams) Financial crime actors wait and pounce when these dangerous flaws become public. Verdict: Workaday cybercrime.
.@EnergyAustralia: The company said 323 residential and small business customers' accounts were taken over. Account takeovers are a problem for every online service provider. It doesn't appear it offers two-step verification on its accounts. *Workaday cybercrime, again.
All of the incidents are cybercriminals exploiting security weaknesses for profit. The security problems are common. The worry for Australia should be is that nation-state actors aren't going to be as obnoxious and public about their intrusions. #auspol #infosec
And post @Optus, they may very well see Australia as a soft target. If the workaday cybercriminals are having so much success now, Australia may be in for a rough run.
*The phrase "workaday cybercrime" shamelessly borrowed from @riskybusiness and @Metlstorm.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jeremy Kirk

Jeremy Kirk Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Jeremy_Kirk

Oct 24
Australia's @medibank health insurer says compromised login credentials lead to its data breach. I spoke with a former Medibank employee whose login credentials turned up on the Dark Web in August. An interesting 🧵 #auspol #infosec @CyberGovAU @ClareONeilMP
For background, login credentials are constantly stolen, bought and sold. "Every org has creds for sale," says one source. @medibank is no different. At least a half dozen @medibank accounts were available for sale in August, according to @RESecurity. #infosec
I looked at the credentials and emailed some of the people. One responded last night, and we spoke on the phone. He was a part-time Covid support officer. @medibank policyholders would call in with Covid questions, and he said he would read Covid guidance from NSW's website.
Read 10 tweets
Oct 22
Aussie data breach #5 (or is it #6?) is @AMEBexams, which is run by unis and several state gov'ts. Its e-commerce system breach coincides with a nasty XSS software vulnerability in Adobe Commerce/Magento: helpx.adobe.com/security/produ… #auspol #infosec
To recap, @AMEBexams says its AMEB online shop database was attacked between Oct. 12-18. Says transaction/credit card data at risk. Also names, emails, phone numbers, addresses were exposed and possibly before Oct. 12 as well: Notice here: ameb.edu.au/cybersecurity
In that notice, @AMEBexams writes: "Security solutions (patches) to defend against this type of attack have since been released by Adobe and applied to the AMEB website and shop."
Read 7 tweets
Oct 22
The Australian gov't will introduce legislation in Parliament next week that would sharply increase penalties after a wave of unprecedented data breaches affecting @Optus, @medibank, @mydealaustralia and @vinomofo. Deets: ministers.ag.gov.au/media-centre/t… #auspol #infosec
If passed, max fines for Privacy Act violations will rise from $2.22 million to the greater of either $50 million, three times the benefit from misuse of info or 30% of a company's adjusted turnover.
"Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," says AG Mark Dreyfus.
Read 6 tweets
Oct 22
.@EnergyAustralia initiated a password reset for its My Account portal users after it says the data of 323 residential and small business customers was exposed between September/October. Some info here: energyaustralia.com.au/home/help-and-… #auspol #infosec
Data available in an account includes name, address, email address, phone number, masked credit card numbers. No driver's licenses, passport or other ID details are in there, which is good of course.
Users now need to chose a password that's at least 12 characters, a lowercase letter, an uppercase letter, a number and a symbol. Also, the new password can't be any of the last four passwords.
Read 6 tweets
Oct 17
Someone is claiming responsibility for the recent hack of MyDeal, the online marketplace owned by Aussie grocery Woolworths Group. The price for the data is at $600. CAUTION: I haven't verified the data yet or if this is legit. #infosec #auspol
To recap, Woolworths said on Friday that 2.2 million people were affected after its CRM system was accessed. For 1.2 million, only email was exposed. For the rest, names, email addresses, phone numbers, delivery addresses, sometimes birth dates. PR here: woolworthsgroup.com.au/au/en/media/la…
This is the first screenshot that the person claims is proof of access to MyDeal's AWS. Sean Senvirtne is the founder and CEO of MyDeal. Anyone have thoughts on what this may or may not show? #infosec
Read 12 tweets
Sep 29
Here are some technical observations related to the Optus breach. This gets into the technical weeds, but it’s important for understanding how this breach may have happened. I’ll try to make it as comprehensible as possible. #optushack #auspol #infosec
Some information is based on public data. The analysis comes from information security experts, whom I appreciate reaching out to me. 😉
We know that the breach occurred because the Optus hacker abused an application programming interface (API) which was api[dot]optus.com.au. As we know, that API was left open on the internet.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(