Cyber-attacks against the government and technology sectors have escalated as international threat actors exploit Covid-19 lockdowns and organisations’ increasing reliance on virtual communication and remote access technologies, a new report reveals.
These attacks were highlighted in a new Threat Intelligence report by the UK-based security firm, NTT, which offered a snapshot of the current global threatscape across Australia, the APAC region, Europe, and North America.
The May report warned that cyber actors are continuing to exploit the pandemic to launch malicious and highly targeted attacks.
These attacks incorporate an arsenal of established and new tools, including, notably, the appearance of a particularly pernicious, though benignly named, malware known as “Coronavirus Installer”, which overrides a systems’ master boot record to make it effectively unbootable.
In Australia, the report reveals, cyber actors have been exploiting inherent vulnerabilities exposed during the Covid-19 crisis – particularly organisations that have had to quickly adapt to remote working conditions – through malware and phishing attacks.
Australia’s technology sector accounted for the bulk of cyber-attacks, representing 35 per cent of all intrusions, with the government (26 per cent), finance (13 per cent), and education sectors (11 per cent) following behind. The business and professional services and retail sectors represented the remaining 15 per cent.
Front door wide open through CMS
Speaking with FST Gov, Mark Thomas, NTT’s Sydney-based head of threat intelligence, said there had been a clear rise in attacks against government institutions globally – from 9 per cent to 16 per cent year on year.
He added that governments’ more expansive digital and application ecosystems were presenting bigger targets for threat actors, while cybercriminals also grow savvier around changes to national and geopolitical conditions that expose technology systems to greater risk.
“Couple this with federal elections, heightened geopolitical tensions between US-China relations, trade conflict, and overlapping sovereignty claims in the region.
“All these contribute to surging government attacks. Consequentially, high-profile events of this nature often give rise to subsequent cyber activity, both from cybercriminals and nation-state actors.”
Content management systems (CMS) – for example, Drupal, WordPress, Joomla, noneCMS, which account for more two-thirds of CMS market share and used across Australian governments’ frontline services – proved a prime target for cyber-attackers, with one in five attacks across industry zeroing in on these systems.
More broadly, 55 per cent of all attacks were application-specific or web-application attacks, according to Thomas.
He warned that the majority of organisations use applications “as their front door”, proving an easy pathway for attackers to reach sensitive data stores.
“This is where both client, personnel, or financial data is held or can be accessed. This is what adversaries are after.”
Thomas said he had also observed the targeting of IoT devices and routers, specifically Netis/Netcore in Australia. He frets that users are failing to change default configurations and applying firmware updates, leaving systems exposed.
Based on NTT’s findings, the Australian public sector nevertheless outperformed peers in other regions, Thomas observed, acknowledging that, overall, “government agencies demonstrate a higher degree of security preparedness and cyber resiliency”.
While stressing that “deficiencies between current and desired security maturity” remain, he said the “gap is tightening”.
Nevertheless, Thomas said cyber preparedness did not make the public sector immune from cyber threats, especially as they become more narrowly focused and sophisticated.
“New applications and infrastructure continue to be deployed through digital transformation initiatives – a welcomed innovation. [However], this can open government to new risks or vulnerabilities that opportunistic adversaries are always looking to exploit.”
A 19 per cent increase in denial of service activity within the region reveals these growing vulnerabilities.
“Suffice it to say, constant vigilance is a necessity in uncertain times.”
The threat landscape will evolve as adversaries innovate their tactics and techniques, Thomas noted.
He thus urged governments “to continue investing in cybersecurity to match adversary’s innovation”.
Australian governments, in particular, need to focus their efforts towards implementing The Essential Eight mitigation strategies and continuously monitoring the threat environment, he said.
Securing the foundation was all about getting the basics right, he added.
“This involves visibility of assets that need to be protected, designing controls around those assets, and reducing exposure by effectively implementing risk-based vulnerability remediation,[or] patching.
“We know adversaries continue to target old vulnerabilities.”
Exploiting vulnerabilities during Covid-19
Worldwide, cyber-attack methods are evolving rapidly whilst attack volumes are escalating daily, the NTT report warned. Among the most popular vector of attack today, particularly as people seek support services in the midst of the pandemic, are spoof websites that pose as official information sources whilst directing users to click on malware-compromised files.
More than 2,000 attacks were attributed to these spoof sites each day, according to NTT.
Throughout the Covid-19 crisis, governments worldwide have been deploying all available resources to contain the pandemic, the report said, leaving fewer resources for cyber contingencies.
“Unfortunately, there will be those who’ll try to take advantage of the crisis for nefarious purposes. Cybercriminals are among this group.
“With large numbers of employees and students working from home, businesses are facing an increasing risk of becoming victims of cybercrime.”
Since the escalation of the Covid crisis in January, cyber intelligence researchers have noticed a considerable uptick in malware campaigns with both financial and data-stealing motive, with banking trojans Emotet and Trickbot, malware kits Lokibot or Kpot, the “Coronavirus Installer”, and trojan Zeus Sphinx being widely detected across the globe. Various DNS spoofing attacks, which hijack router DNS settings via weak or default admin passwords, have also been revealed.