Nation-State actors Aren’t Going to Be as Obnoxious and Public
Is Australia’s data breach wave a coincidence, bad luck or intentional targeting? Maybe all three. But the security weaknesses that have led to the incidents are not exotic. Here’s an analysis.
None of intrusions are the result of indefensible exploits. The culprits are the usual suspects: an insecure API, compromised credentials, a failure to quickly patch, everyday account takeovers and bad development practices. And the people behind these attacks are most likely workaday cybercriminals, not your top-level nation-state attackers.
None of intrusions are the result of indefensible exploits. The culprits are the usual suspects: an insecure API, compromised credentials, a failure to quickly patch, everyday account takeovers and bad development practices.
Here’s a breakdown of the breaches and incidents:
Optus: Someone discovered an unauthenticated API at the telecommunications company and then tries a ham-fisted, amateur extortion attempt. Experts have long warned of the danger of misconfigured APIs. Data haul: 10 million records, a third which have sensitive ID numbers (see Optus Attacker Halts AU$1.5 Million Extortion Attempt).
Medibank Private: Unfortunately, this feels like a pro ransomware/extortion group against this large health insurer, which has around 4 million customers. Medibank says compromised credentials led to the intrusion. Problem: Inadequate identity and access controls. Data haul: Health and claims data plus basic bio data. It’s a worst-case data theft scenario (see Hackers Threaten to Sell Stolen Medibank Data, Seek Ransom).
Vinomofo: This online wine retailer says it used production customer data while running tests to upgrade its digital platform, which is a bad development practice. Then, 700,000 customer records turned up for sale on a Russian-language forum. This is workaday cybercrime.
MyDeal.com.au: This online marketplace run by Woolworths Group said compromised login credentials for its CRM system led to the breach. The data, around 2 million records, appeared for sale as well on a forum for $600. Again, workaday cybercrime.
Australians Music Examinations Board: AMEB says its online shop, which runs Adobe’s e-commerce software, was attacked this month, causing a breach. It appears AMEB may have not acted fast enough after a patch was released for a XSS flaw with a CVSS score of 10 just a day before it was attacked. Financial crime actors wait and pounce when these dangerous flaws become public. Verdict: Workaday cybercrime.
EnergyAustralia: The energy retailer said 323 residential and small business customers’ accounts were taken over between September and October. Account takeovers are a problem for every online service provider. The company did a system-wide password reset. But it doesn’t appear EnergyAustralia offers two-step verification on its accounts. Workaday cybercrime, again.
All of the incidents appear to be rooted in cybercriminals exploiting security weaknesses then trying to turn that stolen data into money. The security issues in play are common areas for discussion and focus.
The worry for Australia should be is that nation-state actors aren’t going to be as obnoxious and public about their intrusions. And post Optus, they may very well see Australia as a soft target. If the workaday cybercriminals are having so much success now, Australia may be in for a rough run.