PM announces “Massive” cyber-attack on Australia
Australia is under sustained cyber attack, warns the government. What’s going on, and what should businesses do?
Prime Minister Scott Morrison had some alarming news for Australians on Friday morning: we are under cyber attack. He informed the nation the attacks “hadn’t just started”, and that Australian businesses and governments are being widely targeted.
It is unclear why the government chose Friday to make the announcement, or indeed what exactly is going on.
The attack is described as “state-sponsored”, which means a foreign government is believed to be behind it. When asked who that might be, Morrison said there is a high threshold for drawing that kind of conclusion, but added:
…there are not a large number of state-based actors that can engage in this type of activity.
This has been interpreted as a coded reference to China, which the Australian government reportedly suspects of being behind the attacks.
What do we know about the attack so far?
An advisory note posted on the government’s Australian Cyber Security Centre website describes the attack as a “cyber campaign targeting Australian networks”.
The advisory says the attackers are primarily using “remote code execution vulnerability” to target Australian networks and systems. Remote code execution is a common type of cyber attack in which an attacker attempts to insert their own software codes into a vulnerable system such as a server or database.
The attackers would not only try to steal information but also attempt to run malicious codes that could damage or disable the systems under attack.
Detecting this is hard, and would require advanced defensive measures such as penetration testing, in which trained security professionals known as “ethical hackers” try to hack into a system in an attempt to find potential vulnerabilities.
What systems have been affected?
The advisory linked the attack to three specific vulnerabilities in particular systems, detailed below. Any business that uses any of these systems is vulnerable to attack. It is too early to tell whether other systems are also vulnerable; other vulnerabilities may emerge as investigations continue.
- Microsoft Internet Information Services (IIS) – This is a general-purpose webserver from Microsoft that runs on Windows systems. The most common use of an IIS is to host web-based applications and simple static websites.
- SharePoint – A SharePoint Server is used by organisations to manage Office 365 Enterprise accounts within their own organisation.
- Citrix – The affected Citrix products are mainly Citrix gateways and servers. These are used to support web, cloud and mobile application services.
Action required for all three systems:
- Ensure you are running the latest version of the software
- Install the latest patches and updates
- Change all passwords, log off from all devices
- Set up multifactor authentication, more details can be found here
- Scan and remove any malicious codes which you don’t recognise.
How does this affect Proactive IT clients?
ProITS clients on a support plan will already be protected by the latest software versions, patches and updates. Other clients should contact us to check any vulnerabilities.
All clients should change passwords and if you’re not already using a password manager, I would strongly advise you to start.
If you don’t have two-factor authentication in place for critical logins, including Office 365, now is the time to get that set up.
How can businesses protect themselves?
Even though the specific threats are not fully known to the public, there is a range of measures businesses can take in the meantime. These include:
Use available government resources
The federal government has provided extensive cyber safety guidelines for Australian businesses, featuring advice on cyber security and data protection, and information on the various types of cyber threat.
More comprehensive cyber security guidelines can be found at the ACSC website, including detailed advice on secure management of databases, email systems and physical computer assets, among others.
Watch out for spam
Phishing is not just limited to email. These scams can be executed via text messages, social media such as Facebook, and VOIP messaging services such as WhatsApp.
As a general guide:
- do not open messages or attachments from unknown senders
- remember that genuine organisations such as banks, government departments and online retailers never ask for personal information via email, and you should always check with them directly (such as by calling them) if in doubt.
Beware DDoS attacks
A “distributed denial of service” (DDoS) attack is the most common type of cyber attack. It works by flooding your website with traffic, preventing genuine customers from reaching your website. Think of it like a traffic jam clogging up a highway and preventing cars from reaching their destinations.
Luckily, there are ways to reduce the impact of DDoS attacks, such as by using intrusion detection and prevention systems. If you are concerned about DoS attacks speak with your internet provider about developing a DDoS response plan.
Have a backup plan
A “continuity plan” ensures important assets such as personnel records, customer databases and network configurations are protected and can be restored quickly in the event of a cyberattack.
Businesses should also follow sensible IT security procedures, which include the following:
Regardless of the details, the latest announcement is a reminder that we should not lower our guard against cyber attacks. The latest round of cyber attacks are likely the result of previous “reconnaissance attacks”, which revealed existing vulnerabilities in Australian networks.
Taking the steps outlined above could help prevent hackers mounting similar attacks in the future.