Peter A Clarke

The Singapore Cyber Security Agency has released its Cyber Landscape Report. The results are hardly surprising.  Phishing and ransomware are chronic problems.  They are growing in both volume and intensity.

The reports findings provides:

Key Malicious Cyber Activities in 2022

1. 1. Phishing. There were around 8,500 phishing attempts reported to the Singapore Cyber Emergency Response Team (SingCERT) in 2022, more than double the 3,100 cases handled in 2021. More than 50 per cent of reported cases involved URLs ending with “.xyz” – a popular top-level domain (TLD)¹ among threat actors given its low cost and limited restrictions on usage. The average length of reported phishing links decreased by almost half, suggesting that threat actors are using URL shortener services more frequently to mask their malicious intent and track the click-through rate of their phishing campaigns. The most commonly-spoofed were Banking and Financial Services, Government and Logistics. More than 80 per cent of reported phishing sites masqueraded as entities within the Banking and Financial Services sector. They are often targets of phishing attacks as they are trusted institutions which hold sensitive and valuable information such as personal details and login credentials. Overall, the increase in reported phishing attempts mirrored global trends, with multiple cybersecurity vendors observing that phishing activities grew substantially in 2022. In all, SingCERT facilitated the takedown of 2,918 malicious phishing sites in 2022.
   2. Ransomware incidents. Ransomware remains a major issue both in Singapore and globally, with cybersecurity vendors reporting a 13 per cent increase in ransomware incidents worldwide in 2022. In Singapore, the number of reported ransomware cases saw a slight decrease with 132 cases reported to CSA in 2022, compared to the 137 cases reported in 2021. The cases affected mostly Small-and-Medium Enterprises (SMEs) from sectors such as manufacturing and retail, as they may hold valuable data as well as Intellectual Property (IP), which cybercriminals often seek to extort and monetise for financial gain. Many of such firms also lack dedicated resources to counter cyber threats.
   3. Infected Infrastructure². In 2022, CSA observed 81,500 infected systems in Singapore, a decrease of 13 per cent from 94,000 in 2021. Despite a sharp growth of infected infrastructure observed worldwide, Singapore’s global share of infected infrastructure fell from 0.84 per cent in 2021 to 0.34 per cent in 2022. While this decrease in infected infrastructure in Singapore points to an improvement in cyber hygiene levels, the absolute number of infected systems in Singapore remains high. The top three malware infections on locally-hosted C&C servers were Colbalt Strike, Emotet and Guloader, while Gamarue, Nymaim and Mirai were the top three malware found on locally-hosted botnet drones, accounting for nearly 80% of Singapore IP addresses infected by malware in 2022. 
   4. Website Defacements. 340 ‘.sg’ websites were defaced in 2022, a decrease of 19 per cent from 419 in 2021. Most victims were SMEs. The downward trend could be attributed to hacktivist activities moving to other platforms with potentially wider reach, such as social media. In general, a downward trend in global website defacements was observed – with the exception of Ukraine and Russia, which have seen hacktivist activities spike amidst the ongoing conflict, including the defacement of more than 70 Ukrainian government websites just before hostilities broke out.

Read the rest of this entry »

In the 1980s it was fashionable in the The Federal Government to create tsars. The term signified that they were doing something important and had enhanced powers. There were drug tsars and education tsars. The terminology was a bit unfortunate. Tsars historically had a habit of coming unstuck in horrible ways. Nothing like that happened in America but not much was done either. Australia is not nearly so grandiose. In Australia the tradition is to appoint directors or co ordinator. In that tradition the Government has announced the appointment of Air Marshal Darren Goldie AM CSC as the innuagural National Cyber Security Coordinator. The position is administrative. It is probably a good idea however the real need for improvement in cyber security is at the ground level with organisations and agencies applying fit for purpose programs, keeping them up to date and training staff to avoid making mistakes that lead to a data breach. Not nearly enough of that is being done.

The consequences of a major data breach are rarely minor or quickly resolved. The cost of remediation is almost always significant. Litigation is a common offshoot. Medibank is facing a significant class action suit. Finally there are usually more than one regulator which can take action. In this case the Australian Prudential Authority has taken action against APRA forcing Medibank to increase its capital adequacy requirement to $250 million.

Chapter 10 of the Attorney General’s Privacy Act Review Report considers the operation of Privacy Policies and Notice obligations when collecting personal information.

A Privacy Policy is a critically important document for compliance under the Privacy Act 1988.  Privacy policies are part of most privacy legislation across most jurisdictions.  They serve an important function of informing people how their personal information will be handled, That doesn’t mean they are free of controversy.  Privacy policies are commonly criticized for being unduly complicated, very long and often a model of opacity rather than transparency. Some organisations have excellent policies designed provide useful information.  Others are mass of legalese which defy easy understanding.

Australian Privacy Principle (“APP”) 1 requires:

• entities to maintain a ‘clearly expressed’ and ‘up-to-date’ privacy policy that addresses the matters listed in APP 1.4.
• per he APP Guidelines a ‘clearly expressed’ privacy policy should be:
  • ‘easy to understand (avoiding jargon, legalistic and in-house terms),
  • easy to navigate,
  • only include information that is relevant to the management of personal information by the entity’.
• an APP entity to regularly review and update its privacy policy to ensure that it reflects the entity’s information handling practices.
• an APP entity to take such steps as are reasonable in the circumstances to make its privacy policy available:
  • free of charge and
  • ‘in such form as is appropriate.’
• that where an individual requests a privacy policy in a particular form, the APP entity must take reasonable steps to accommodate that request.
• APP entities to make a privacy policy available by publication on a website.
• where it is foreseeable that the privacy policy may be accessed by individuals with accessibility needs, or where individuals request a copy of the privacy policy in an accessible form, appropriate accessibility measures should be put in place.

APP 5 requires Read the rest of this entry »

The World Economic Forum has released Adopting AI Responsibly: Guidelines for Procurement of AI Solutions by the Private Sector. It has also launched the AI Governance Alliance for Responsible Generative AI. The Guidelines are part of a growing set of guidelines and rules. The US President released a BluePrint for an AI Bill of Rights in October last year. That is a long way from government regulation.

At this stage the talk is greater than the action. The US President met with tech leaders a few days ago and raised concerns about the risks posed by AI to Security and the Economy amongst other areas. Even though Europe has taken strong initial steps and is ahead of the United States no jurisdiction has complete fit for purpose Read the rest of this entry »

The EU is far ahead of Australia in regulating privacy and cyber security through both the GDPR and rules and guidances for good cyber security practices. The United States is well served by the publications of the National Institute of Science and Technology.

The European Union Agency for Cybersecurity has released Good Practices for Supply Chain Cybersecurity.  It is a long and complex document but particularly relevant given the spate of data breaches in Australia.  It is relevant to note that the document makes regular reference to NIST guidances.  I regularly post on NIST guidances.

• between 39 %  and 62 %  of organisations were affected by a third-party cyber incident.
• supply chain compromises were the second most prevalent initial infection vector identified in 2021. and accounted for 17 % of the intrusions
• in 2021, 66 % of the supply chain attacks the suppliers did not know, or were not transparent about, how they were compromised
• Around 62 % of the attacks on customers took advantage of their trust in their supplier. In 62 % of the cases, malware was the attack technique employed. When considering targeted assets, in 66 % of the incidents, attackers focused on the suppliers’ code in order to further compromise targeted customers.
• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
• only 24 % of the surveyed organisations have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 59 % of the surveyed organisations that have TRM policies in place also have a dedicated budget or budget line for supply chain security
• regarding cybersecurity risk mitigation techniques:
  •   61 % of the surveyed organisations preferred security certificates,
  • 43% preferred  security risk rating services
  • 37% used due diligence or risk assessments
  • 9 % did not evaluate their supply chain security risks in any way.

1. Although organisations understand the significance of supply chain security, they do not allocate the necessary resources for ICT/OT supply chain cybersecurity.
2. Even when they invest in ICT/OT supply chain cybersecurity projects, the majority do it without clear governance corporate structures which ideally should take into account the costs and benefits of implementing ICT/OT supply chain cybersecurity practices and controls.
3. Organisations with formalised ICT/OT supply chain cybersecurity corporate procedures are the minority of the surveyed sample.
4. Banking is the sector with most established ICT/OT supply chain cybersecurity policies and dedicated budget and FTEs
5. Classification of a supply chain incident as such is cumbersome due the lack of concrete criteria.
6. Certifications are the most preferred way for organisations to follow suppliers’ cybersecurity practices; however, they are accompanied by high costs, especially for non-cybersecurity relevant vendors.
7. The surveyed organisations agree that common cybersecurity requirements for products and services would be beneficial for the market.
8. There is room to improve the visibility of the organisations over their information assets.
9. The majority of surveyed organisations do not have a vulnerability management system which covers all organisational assets.
10. Vulnerability management and testing of products contribute to better ICT/OT supply chain cybersecurity posture.

Large data breaches are rarely resolved quickly. That is why I am so surprised that organisations with the means and structures are so complacent with their data security. The focus is minimal compliance rather than security that is fit for purpose. The HWL data breach will be a long and excruciating process. The latest development is that data belonging to NAB have been found on line. See the Australian’s story NAB the latest to be confirmed as victim of HWL Ebsworth hack, with bank data leaking online . Beyond the revelation that the NAB has been affected the article itself is something of a reheating of earlier reporting. 

NAB has been motivated to issue a statement which provides:

“We are aware that HWL Ebsworth, a law firm engaged by NAB for some legal services, has been impacted by a cyber-attack. NAB’s systems were not impacted and remain secure. We are working with HWLE as they continue to get more information in relation to the content of these matters.”

There will be more statements like this from affected HWL Ebsworth clients (or ex clients). 

Based on the limited information provided to date it appears that the transfer of documentation from clients to the firm was not through access provided to the firm, as often happens with third party services providers working with an entity.  In those circumstances the danger is the initial hack will give rise to another hack as permissions and authorisations are stolen and used to access the other organisation.  Here HWL Ebsworth and its clients probably adopted the more traditional, and logical, means of transfer of documents.  The clients provided Read the rest of this entry »

it is usual practice for hacker gangs to publish names and other data taken from an organisation if a ransom is not paid. Sometimes it is done even without a demand for ransom. It is a malicious act but that is what criminal gangs do. So it is hardly extraordinary that Black Cat has done that with the data stolen from HWL Ebsworth. In that case it has published only a third of the data stolen. That is possibly because Black Cat retains hope that a ransom will be paid for the balance of the documents or that it wants to extend the pain it wants to inflict upon HWL Ebsworth. Another well practised option is to negotiate with organisations and agencies affected by the data breach. Alternatively it could sell the remaining data to interested players. It is impossible to say and Black Cat is not in the business of advertising its moves so it is a matter of wait for the next move. And it will come.

The BBC reports in Hacker gang Clop publishes victim names on dark web on another instance of he odious practice of publishing names on the dark web as a result of a mass hack. It is a slightly different approach, posting names rather than a document drop per se. Publish the names before public disclosure of the stolen data. Clop found a zero day vulnerability on the MOVEit site.  Because MOVEit is a platform designed to transfer data between organisations Clop had access to masses of data stored on MOVEit’s platform which it stole. The data belonged to a number of organsiations and institutions.  Bleeping Computer covers the story well with Clop ransomware gang starts extorting MOVEit data-theft victims. 

There is a strong similarity between the HWL Ebsworth and the MOVEit data breaches.  In both cases the value to the hackers of the data stolen is that it comes from a range of entities rather than the data belonging to the entity breached.  In HWL Ebsworth’s case Black Cat downloaded data belonging to clients and other entities from 2,000 data sites within the firm’s system.  In MOVEit’s case Clop stole data from its platform.  The intent is the same, using Read the rest of this entry »

The HWL Ebsworth data breach saga is following a familiar trajectory involving a significant loss of data; announcement of the data breach, statements about working with the Australian Cyber Security Centre and other authorities, details slip out about how much material was lost, indications in a general statement about what personal information is involved (so far that includes dates of birth, drivers licences and names) and steps taken to remedy the breaches. That is a fairly familiar trajectory. This data breach has other features which makes it a less standard data breach; the focus is not on data generated by the firm but rather that collected from clients or otherwise related to the provision of legal services, that the sensitivity of the information is, seemingly, more related to government information rather than personal information and that third parties, especially government departments, are becoming very active to work out the extent to which the data breach affects them directly. The Australian reports in Data on secret missile testing site, attack helicopters and police operations stolen by hackers that the hackers have stolen files relating to military testing, police intelligence and government procurement. That data is of great interest to state players such as Russia and China and pretty much anyone else in the Indo Pacific region. It is hardly controversial that Australia’s friends collect data about the Australian government. That has always been part of the unspoken role of overseas embassies.

The Office of Australian Information Commissioner released a belated statement on the data breach, and reported here, providing:

On 8 May 2023, HWL Ebsworth reported a data breach to the Office of the Australian Information Commissioner (OAIC) in the OAIC’s capacity as regulator of the Notifiable Data Breaches scheme.

HWL Ebsworth provides legal services to a range of Commonwealth clients, including the OAIC.

On Saturday 10 June, HWL Ebsworth advised the OAIC that a document or documents relating to a limited number of OAIC files were included in the breach experienced by HWL Ebsworth.

HWL Ebsworth is currently providing further information to the OAIC about those documents. The OAIC will review those documents to see whether they contain personal information, and, consistent with requirements under the Notifiable Data Breaches scheme, will notify affected individuals where necessary.

The OAIC’s systems have not been compromised.

The statement begs more questions than it answers. The data breach was reported in early May and the Australian Financial Review has been covering the story regularly. It is difficult to understand how in the 5,000 hours HWL Ebsworth claims it has spent on the data breach could not have notified the Commissioner earlier than 10 June. And it could have gone into specifics more than “a document or documents” about a “limited number of OAIC files” . The statement leaves open the conclusion that HWL Ebsworth has not completed its task vis a vis the OAIC files. That is extraordinary. It has been 6 weeks since the firm was advised about the data breach. The opaqueness of the statement makes it almost meaningless except if the intention is to make a statement.

Many organisations have quite good outward looking cyber security, providing a hard shell against cyber attacks. A cyber wall surrounding a site so to speak. Unfortunately that is all too often the limit of the defences. Those defences are lineffective when hackers acquire valid authentications from an employee, as appears to be the case here, and enter the system.  Many organisations have very poor systems established for monitoring suspicious network activity or internal protections such as silos of information requiring separate authentication. In the case of the HWL Ebsworth data breach apparently Black Cat accessed the drives of 2,000 employees and copied what was there. How that could happen without raising any sort of alarm is a concern.

There are programs which can identify involving abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions. Those are indicia of Read the rest of this entry »

.

With large organisations/firms/government data that are comrpromised often belong to third parties such as clients or other organisations. With law firms that involves information provided necessary to permit advice work or litigation. And so it is with the HWL Ebsworth data breach. Which has led to the inevitable round two of the data breach, the clients of the firm doing damage assessments of what has happened to their data. The Australian reports in Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed that government departments have set up committees to determine the extent of the damage. And not before time.  Black Cat has not released 2/3rds of the data it exfiltrated. That is likely to happen at the most inopportune time given HWL Ebsworth has stated it will not pay a ransom. 

The Australian article provides:

The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies. Read the rest of this entry »