Peter A Clarke

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which provides:

Following an independent IT forensic investigation, Oxfam Australia announced today that it has found supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.

The database includes information about supporters who may have signed a petition, taken part in a campaign or made donations or purchases through our former shops.

While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.

Oxfam Australia alerted its supporters of the potential risk on 4 February 2021 and has now begun notifying all supporters about steps that they can take to protect their information.

Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner and Australian Cyber Security Centre.

Chief Executive Lyn Morgain said that Oxfam Australia immediately launched the investigation and engaged industry-leading forensic IT experts to assist after being alerted on 27 January 2021 to a suspected data incident.

“Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements,” Ms Morgain said. “We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”

Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from actioning unsolicited requests to provide information, including actioning links and opening attachments. Scammers can seem quite believable and impersonate government, police and business, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.

Ms Morgain assured Oxfam Australia would continue to work with relevant authorities and treat the incident with the utmost seriousness on behalf of its supporters.

“The privacy and protection of our supporters has been our paramount consideration during this process, which has involved a thorough and complex investigation,” Ms Morgain said

“Oxfam supporters are at the heart of our organisation and their confidence is critical to our ongoing work in tackling the inequality that causes poverty around the world.

“We sincerely regret this incident has occurred.”

It is interesting that Oxfam advises that the Australian Information Commissioner has been informed but nary a word from the Information Commissioner.  Typical.

It appears those breaches may be eclipsed by a data breach caused by zero day flaws in Microsofts email service.  The SolarWinds data breach of last year was a disaster whose ramifactions are continuing.  Russian State hackers compromised IT management tools from Solar Winds, affecting 18,000 organisations.  While it is widely reported as breaching data security of a half dozen US Federal Agencies it also impacted Australian companies and public service entities including NSW Health, Rio Tinto and Serco amongst others. 

That melancholy event may have been eclipsed by a data breach involving the installation of a back door through a installation of recently patched flaws in Microsoft’s email software.   The ABC reports on it in White House fears significant number of organisations caught in Microsoft hack which provides:

The White House fears a significant number of organisations around the world have been compromised through a back door installed via recently patched flaws in Microsoft’s email software, and warns it “could have far-reaching impacts”.

The hacking has already reached more places than all of the tainted code downloaded from SolarWinds Corp, the company at the heart of another massive hacking spree uncovered in December.

The latest hack has left channels for remote access spread among credit unions, town governments and small businesses, according to records from a US investigation.

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advised organisations using Microsoft Exchange to urgently patch vulnerabilities.

“The ACSC is monitoring the situation and is able to provide assistance and advice as required,” an ACSC alert said.

If successfully exploited, “an unauthenticated attacker” could “write files and execute code”, the alert warned.

Tens of thousands of organisations in Asia and Europe are also affected, the records show.

The hacks are continuing despite emergency patches issued by Microsoft on Tuesday.

Microsoft, which had initially said the hacks consisted of “limited and targeted attacks,” declined to comment on the scale of the problem on Friday but said it was working with government agencies and security companies to provide help to customers.

One scan of connected devices showed only 10 per cent of those vulnerable had installed the patches by Friday, though the number was rising.

Because installing the patch does not get rid of the back doors, US officials are racing to figure out how to notify all the victims and guide them in their hunt.

All of those affected appear to run Web versions of email client Outlook and host them on their own machines, instead of relying on cloud providers.

That may have spared many of the biggest companies and federal government agencies, the records suggest.

The federal Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.

Earlier on Friday, White House press secretary Jen Psaki told reporters that the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts”.

The year is 2022 and ticketing for the football grand final goes down. Fans don’t know it yet, but this is an act of cyber sabotage designed to distract Australia from a brewing regional war.

“We’re concerned that there are a large number of victims,” Psaki said.

Microsoft has blamed the initial wave of attacks on a Chinese government-backed actor. A Chinese government spokesman said the country was not behind the intrusions.

What started as a controlled attack late last year against a few classic espionage targets grew last month to a widespread campaign.

Security officials said that implied that unless China had changed tactics, a second group may have become involved.

More attacks are expected from other hackers as the code used to take control of the mail servers spreads.

The hackers have only used the back doors to re-enter and move around the infected networks in a small percentage of cases, probably less than 1 in 10, a government workers told Reuters.

“A couple hundred guys are exploiting them as fast as they can,” stealing data and installing other ways to return later, he said.

The initial avenue of attack was discovered by prominent Taiwanese cyber researcher Cheng-Da Tsai, who said he reported the flaw to Microsoft in January.

He said in a blog post that he was investigating whether the information leaked.

Krebs on Security, with At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software which provides:

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.

But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.

“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.

“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Meanwhile, CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.

Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.

White House press secretary Jen Psaki told reporters today the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”

“We’re concerned that there are a large number of victims,” Psaki said.

By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.

Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont, is available from Github.

KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.

“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.

“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”

When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.

“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”

The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.

“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”

Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.

“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.

This is a fast-moving story, and likely will be updated multiple times throughout the day. Stay tuned.

What is concerning about the SolarWinds hack and the attack on Microsoft is that the overall damage of those attacks may never be known and it may take years to remediate the breaches.  The scope of the attacks are so wide and the penetration so damaging that the time and effort to completely audit the impact is difficult and the physical and financial ability to fix the problems is inadequate for the task. What makes these attacks so different and damaging is that they are continuing.  So trying to fix the problem is hard.  Wired in China’s and Russia’s Spying Sprees Will Take Years to Unpack describes the problems in detail.  These attacks represent and escalation of the threat posed by hackers, particularly state  operatives. 

In the last week there have been data breaches of:

• SITA Passenger Service System, which manages ticketing processing and frequent flyer data for global airlines, involving the compromise of personal data.
• the Delco school district in the USA lost millions of subsidies from the Pennsylvanie Department of Education stolen by hackers .
• the Center for Early Education’s servers in Los Angeles  with staff payroll information and parent contact information made public.
• New South Wales transport department with hackers putting documents up for sale.
• 15 schools in Nottinghamshire who had to shut down their IT networks after the organisation that managed their systems was hit by a cyber attack.  That means no emails, operating websites or remote learning.
• a large payroll company, PrismHR with an outage.  The company provides online payroll, benefits and human resources to small and medium sized businesses. 

The Australian Office of the Information Commissioner’s latest report on notifiable data breaches, for the second half of 2020 is interesting up to a point.  From the executive summary the key findings are:

The NDB scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 must notify individuals affected and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.

The OAIC publishes twice-yearly reports on notifications received under the NDB scheme to track the leading sources of data breaches, and to highlight emerging issues and areas for ongoing attention by regulated entities.

• 539 breaches were notified under the scheme, an increase of 5% from the 512 notifications received from January to June 2020.
• Malicious or criminal attacks (including cyber incidents) remain the leading source of data breaches, accounting for 58% of notifications.
• Data breaches resulting from human error accounted for 38% of notifications, up 18% from 173 notifications to 204.
• The health sector remains the highest reporting industry sector, notifying 23% of all breaches, followed by finance, which notified 15% of all breaches.
• The Australian Government entered the top 5 industry sectors to notify data breaches for the first time, notifying 6% of all breaches.
• 68% of data breaches affected 100 individuals or fewer.
• 78% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.

The Information Commissioner highlights human error as being a significant, 38%, and growing cause of data breaches.  Given the small sample size it is premature to draw any conclusions as to whether this is a trend into the future.  Human error has always been a significant problem in properly securing data.  It will always be a constant issue but can be minmised with proper training and systems which restrict staff from having easy access to personal information. 

The Commissioner’s press release provides:

Data breaches attributed to human error continue to increase according to the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report.

The OAIC received 539 data breach notifications from July to December 2020, an increase of 5% on the previous six months (512).

Australian Information Commissioner and Privacy Commissioner Angelene Falk said 38% of all data breaches notified during the period were attributed to human error.

“In the past six months, we saw an increase in human error breaches both in terms of the total number of notifications received – up 18% to 204 – and proportionally – up from 34% to 38%,” Commissioner Falk said.

“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.

“Organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising training staff on secure information handling practices.”

Malicious or criminal attack accounted for 310 notifications during the period (58%) and system fault was responsible for 25 notifications (5%).

Health service providers again notified the most data breaches (23%) of any industry sector, followed by finance, which notified 15% of all breaches.

For the first time, the Australian Government entered the top 5 industry sectors by notifications, accounting for 6% of all breaches, with human error the leading cause.

“Ensuring the security of personal information is an area of regulatory focus for the OAIC, particularly in the health and finance industries, which have consistently been the top two sectors to report breaches,” Commissioner Falk said.

The OAIC is also calling for entities to have effective systems in place for responding to data breaches.

“Being prepared for a data breach is important for all entities that handle personal information,” Commissioner Falk said.

“Entities must have effective systems for detecting, containing, assessing, notifying and reviewing data breaches.

“Critically, they need to provide individuals with clear and timely information about data breaches, including recommendations on steps they can take to protect themselves from harm. Any unnecessary delay in providing this information undermines the purpose of the Notifiable Data Breaches scheme.”

Commissioner Falk said entities should use the information and guidance provided in the report to help review their processes and ensure they are fit for purpose.

“We are nearing three years of operation of the Notifiable Data Breaches scheme and expect that entities have systems in place to report breaches in line with legislative requirements,” she said.

“We also expect organisations to have improved the security of personal information they hold to prevent breaches.

“We will continue to closely monitor compliance with the scheme and prioritise regulatory action where there are significant failings.” 

One consistent feature of the Information Commissioner’s speeches and press releases is the call for properly preparing, having effective systems to deal with breaches and other bromides about doing the right thing.  The problem is that is the apparent extent of the Commissioner’s actions. The Office is a timid regulator.  It makes few determinations, those it makes in the applicants favour result in dismissive awards and it does not commence civil proceedings against those who breach the Privacy Act (the current proceeding against Facebook being a notable exception).