Peter A Clarke

This year has seen some major cyber attacks which have crippled businesses.  On 31 January 2020 Toll Transport’s systems were infected with Ransomware, a variant of the Mailto or Netwalker ransomware.  It operates by encrypting all the common file types outside the operating system.  the files are rendered unusable. That meant it couldn’t perform its core service, delivery.

Mailto is usually spread through a compromised email attachment but it can also be done through a combination of user credential theft or a brute force attack on passwords in combination with usernames.   Attacks by  email involves the Mailto activating an infected payload through what appears to be a legitimate file. Attacks are commonly sent from a domain with a high reputation.  Sometimes they are sent from compromised email accounts.  These forms of attack easily by-pass traditional email security techniques which rely on blacklists and reputational analysis.  The more sophisticated attacks use spoofing techniques and zero day links, URLs not previously used in attacks.  It is not uncommon to see Ransomware being delivered by the very personalised spear phishing attacks often involving impersonations of a trusted employee of the company or a website or supplier used by the company.

A Mailto attack encrypts files and which are renamed with the attacker’s preferred email address for communications and a file extension that is unique to the compromised user.  The attacker promises that by emailing any one encrypted file to them, the user can have it decrypted as proof that the criminal can be trusted to follow thrown with any transaction and deliver a method for unlocking the files.

Unfortunately only the attacker can decrypt data that has been encrypted by the malware. Mailto uses a very strong encryption algorithm that are exceedingly difficult to unlock without the encryption key.

For Toll transport the experiences has been the business equivalent of a slow motion car wreck.  Notwithstanding telling the market that things had returned to normal in March it suffered a second attack, in May, this time by the use of Nefilim.  Nefilim operates by the attacker threatening to release data to the public if the victim fails to pay the ransom.  It’s likely distribution point is through an exposed Remote Desktop Protocol.   Nefilim is similar to Nemty 2.5 ransomware.  The key difference is that Nefilim has no Ransomware-as-a-Service (RaaS) feature and payments ocurr through email communication instead of using Tor. Netfilim uses AES-128 encryption.

Yesterday there were widespread reports of BlueScope Steel suffering a ransomware attack which forced a partial shut down of production.  The Australian Financial Review provides a very useful coverage which suggests that the COVID 19 scareware emails combined with staff working from home

BlueScope’s media release,  is a model of saying not very much but appearing to be pro active and responsible.  It is a pity that it wasn’t as open as Toll Transport which identified the type of malware.  That assists all.  The fact is that there was a breach and the starting point is that there was a failure somewhere within Bluescope in its cyber defences or the quality of training its staff are receiving in dealing with suspect emails or at least identifying suspect email.  Instead the bland statement provides:

BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. Our North Star, Asian and New Zealand businesses are continuing largely unaffected with minor disruptions. In Australia, manufacturing and sales operations have been impacted; some processes have been paused, whilst other processes including steel despatches continue with some manual processes and workarounds. BlueScope Chief Financial Officer, Tania Archibald said the cyber incident was detected in one of the Company’s US businesses and the Company had acted promptly to respond to the incident. In the affected areas the Company has reverted to manual operations where possible while it fully assesses the impact and remediates as required, in order to return to normal operations as quickly as possible.“We are taking this event extremely seriously. Our people are working diligently to protect and restore our systems, and we are working with external providers to assist us. Our focus remains on being able to service our customers and to maintain safe and reliable operations,” Ms Archibald said.BlueScope will provide a further update in due course, as appropriate.

The Australian Financial Review article provides:

Steelmaker BlueScope is the latest large company to have its operations compromised by a cyber attack, revealing that systems around the world had been taken down and some production stopped at sites including Port Kembla in NSW.

The company is not disclosing the nature of the attack or the suspected identity of the hackers, but it said Australian manufacturing and sales operations had been hit, with some processes halted at operations around the world.

The BlueScope attack comes days after Toll Group revealed that hackers had used malware to infiltrate its systems and steal private data in a bid to charge a ransom for its return.

In a statement, BlueScope chief financial officer Tania Archibald said the cyber incident was initially detected in one of its US businesses and that affected areas across the company had reverted to manual operations where possible.

AFR Weekend understands the systems affected by the shutdown are largely related to back-office functions, such as order management, scheduling and logistics tracing, and that dispatches of steel have been largely unaffected.

There have been some disruptions to some BlueScope production plants such as Port Kembla in Wollongong, where its hot strip mill has been taken down while technology teams look to bring up back-up versions of the systems that don’t contain the virus.

“We are taking this event extremely seriously. Our people are working diligently to protect and restore our systems, and we are working with external providers to assist us,” Ms Archibald said.

“Our focus remains on being able to service our customers and to maintain safe and reliable operations.”

A spokesman for the company was not able to confirm whether the attackers had used the common ploy for deploying ransomware, which is through an employee clicking on a link in a fake email.

Like Toll Group, most BlueScope staff are working from home due to the COVID-19 pandemic, with only staff involved in physical production on-site.

“Australian industry’s mass transition to working from home is likely one of the primary causes of the perceived uptick in successful cyber attacks against Australian businesses,” Shannon Sedgwick, head of cyber security practice at consulting firm Ankura, said.

“Remote workers adopt riskier behaviour online and it is difficult for their employer to enforce cyber security policies and standards. Malicious actors are exploiting this situation, which is evident in their increased employment of phishing emails and ransomware attacks.”

In March, following a spike in cyber criminals using concerns about the coronavirus pandemic to target individuals with infected emails purporting to be about the outbreak, the federal government’s cyber security wing warned Australians to be aware of scams.

Earlier this week, Defence Minister Linda Reynolds said the Australian Signals Directorate had since needed to use its offensive cyber capabilities to disrupt foreign cyber criminals responsible for COVID-19-themed malicious cyber activities.

Mr Sedgwick said this aptly named “scareware” had led to an increase in ransomware attacks and theft of credentials in Australia and globally.

James Turner, the founder of CISO Lens, a forum for chief information security officers of large Australian organisations, said it was not possible to properly analyse the cause and prognosis of BlueScope’s problems until it announcedd what had happened.

He said cyber attacks had implications for organisations across industry sectors, and it was important for companies to be able to publicly discuss what had happened to prevent further incidents elsewhere.

“As an industry, we need to do a better job of sharing essential artefacts – like indicators of compromise – quickly, so that the ecosystem can determine if the attack is widespread,” Mr Turner said.

“Of course, the problem is that expecting companies to be able to share information swiftly relies on the attacked company having the internal capability to understand what’s happening, and this is not always the case.”

Also  MyBudget, a money management company, was hit by a ransomware attack which caused a nationwide outage, affecting 13,000 customers.  This is a problem that started on 10 May with money being unable to be accessed, to manual payments being made on 12 May with phone lines being jammed on 13 May with emails to clients from each day thereafter and finally yesterday confirmation, or at least announcement, of a malware caused the problem. The supposed hyperlinks of the updates on its website do not seem to work.

For a company whose business plan is to manage customer’s money to not be able to interact with their customers, which has the effect of cutting them off from their money is disasterous.  That said MyBudget’s statement seems to give the impression of “its all under control” with a subtext of “nothing to see here”. It provides:

MyBudget is currently experiencing a systems outage that is affecting access to the client portal and app, as well as our client messaging and payments systems. Our tech team are working at pace to rectify the issue.

Please be assured that your money is completely safe and secure.

This page will keep you informed about the outage, and we will be posting regular updates (see below).

No scheduled or planned payments can be made automatically during the outage.

At this stage we have no resolution time for the system outage, and are in the meantime are helping clients who require urgent living expense transfers by processing those payments manually.

To request a manual payment, please call our client care team on 1300 300 922 who are ready to help.

We sincerely apologise for any inconvenience this outage may cause and thank all of our clients for their understanding and patience.

We promise that we’re working around the clock to bring all systems back online as soon as possible.

It has been a disaster for My Budget compounded by a generally poor response

Ransomware almost invariably obtains a foothold into a company’s website by delivery of emails.  It is not inevitable that a company will suffer a ransomware attack.  These recent claims that COVID 19 with more people working from home and scareware being prevalent has resulted in more successful ransomware attacks is more an explanation as to why a company’s training is inadequate rather than an acceptable excuse for the outcomes.  Companies should have firm protocols and rules in dealing with unverified emails.  Employees should be trained to avoid opening such emails or attachments whether they are working from home or in a cubicle in the office. Further companies should backup files to prevent loss. It is also important to regularly update software and applications to ensure that the system is protected against both old and recent vulnerabilities.

The malware attacks affecting Toll Transport, Bluescope Steel and MyBudget were probably all preventable.  It is highly likely that human error was responsible for each attack.  That bespeaks a failure in training and operations.  In my experience an investigation of the data breach often reveals significant problems with compliance with the Australian Privacy Principles and problems with either the quality or the ongoing nature of training.

On top of the financial impact of the breach  and the reputational damage as the media, traditional and of the social kind, report on a breach there is also the potential that the regulators will have to be told