News and events related to the ACSC.
Update on WanaCry ransomware campaign
The ACSC is aware of a large-scale ransomware campaign impacting many organisations globally, including the UK's National Health Service. The campaign has various names including “WanaCryt0r”, "WanaCrypt", “WanaCry”, “WannaCry”, “WanaDecryptor”, or “Wana”.
The ransomware leverages publically known vulnerabilities in Microsoft Windows, patched by Microsoft in March this year (Microsoft Security Bulletin MS17-010). Additionally, Microsoft has released patches for older, unsupported Microsoft operating systems on 13 May 2017. If you are running older systems, these patches should be applied immediately.
Individuals and organisations across Australia have been taking active steps to protect their networks over the weekend. However, there are a small number of confirmed cases affecting Australian small businesses.
While the spread of the ransomware appears to have temporarily slowed, it is still critical that businesses and individuals patch the operating systems on their computers.
The Australian Cyber Security Centre has advised that if you are affected by the WanaCry ransomware incident you should contact your service provider immediately. Small businesses can contact ACORN (Australian Cybercrime Online Reporting Network); larger businesses are advised to follow their normal procedures.
We are also advising that businesses need to patch their Microsoft Windows systems immediately and confirm that their backups are available and working. You will also need to make sure your antivirus software is up-to-date.
If you do not have back-ups in place you can arrange to use an off-site backup service. This is good practice for all users.
Information on the ACSC website will continue to be updated. Updates are also available on the Stay Smart Online website, Facebook page and Twitter account.
These sites will be updated throughout the coming days as new information becomes available.
The ACSC is aware of a large-scale ransomware campaign that is impacting many organisations globally. Read more
ACSC 2016 Cyber Security Survey released
The 2016 Australian Cyber Security Centre Survey (PDF) validates our understanding of the unrelenting and increasingly sophisticated cyber threat that we face every day. It confirms that many Australian organisations are experiencing some form of attempted or successful cyber security compromise, and that some are being targeted up to hundreds of times per day.
The survey provides some key areas for future focus, collaboration and investment across industry and government.
Managed Service Providers have been targeted in a global cyber campaign since at least mid-2016. This includes some companies that also operate in Australia. Read more
ACSC releases 2016 threat report
This is the second ACSC Threat Report. The ACSC Threat Report 2016 (PDF) continues to reflect the experience, focus, and mandates of the ACSC's member organisations. This report provides an insight into what the centre has been seeing, learning, and responding to, focusing on specific areas of change or new knowledge obtained.
New Cyber Security Strategy
Today the Prime Minister released Australia's Cyber Security Strategy.
The Cyber Security Strategy sets out the Australian Government’s philosophy and program for meeting the dual challenges of the digital age – advancing and protecting our interests online.
Strong cyber security is a fundamental element of our growth and prosperity in a global economy. It is also vital for our national security. It requires partnership involving governments, the private sector and the community.
Scam alert: HR departments targeted for sensitive employee details
ACSC partner agency CERT Australia is aware that, over the past two months, at least three major international organisations have been targeted by a new phishing scam that seeks to expose sensitive employee information.
The phishing email, which appears to be from the CEO or executive of an organisation, is sent to the Human Resources (HR) department, requesting the organisation's personnel details.
The scam presents a significant risk to employee's personal information as personnel data contains names, addresses, wages, tax file numbers and health care information that could be used for identity theft or tax fraud.
Although there have not been any reported instances of the scam in Australia, it is highly likely Australian businesses will be targeted in the future. In order to protect your organisation and employees against these attacks, CERT Australia recommends:
- inform your HR and payroll staff of the scam and encourage employees to remain vigilant with regard to bulk requests for staff information
- remain wary of the information that is posted to social media and company websites which can be abused, including job descriptions, organisation structures and out-of-office information
- ignore unsolicited or spam emails and forward them for review by your IT security team
- ensure your email security is set to prevent sender address forgery (more information to implement this can be found in the ASD publication Mitigating Spoofed Emails - Sender Policy Framework (SPF) Explained)
- report identified activity to CERT Australia.
Mailicious ransomware email campaign
The ACSC is aware of a large-scale email phishing campaign that appears to be from the Austrailan Federal Police, instructing recipients to pay a traffic infringement notice. The same scam also occurred in July 2015. The web link is typically associated with encrypting ransomware.
Should you receive a suspicious email, delete it. Do not click on the link or open any attachments, and do not make any payments. If you have clicked any links or attachments, please report this to your organisation's IT security section.
We encourage you to report it to Scam Watch.
ACSC and CERT publish 2015 Cyber Security Survey: Major Australian Businesses
The 2015 Cyber Security Survey: Major Australian Businesses industry data was collected from businesses that partner with CERT Australia. These businesses underpin the social and economic welfare of Australia by delivering essential services such as banking and finance, defence industry providers, communications, energy, resources, transport and water.
The findings provide a snapshot of the cyber security measures that major Australian businesses have in place, the types of cyber incidents they have faced and the threats that concern them the most.
ACSC publishes Web Shells - Threat Advice and Guidance
Web shells can be used to leverage unauthorised access and can lead to wider network compromise. Web Shells - Threat Advice and Guidance outlines the threat and provides prevention, detection and mitigation strategies. This product was developed in collaboration with ACSC partners in the United Kingdom, United States, Canada and New Zealand.
Unauthorised publication of personal information via social media
ACSC is aware of leaks of personally-identifiable information, including that of Australian citizens, by a group calling itself the Islamic State Hacking Division.
There is no evidence to suggest the leaked information is a result of any compromise of Australian-based systems or networks. ACSC is working with the organisations of the individuals identified in the leaks to identify and address any potential cyber security concerns. ACSC will support the broader law enforcement and intelligence community to understand and address this issue.
The unauthorised material published this week is likely to have been compromised from a public website. Affected individuals have used work email addresses to conduct private online activity, including providing personally-identifiable information.
Public websites are frequently targeted by malicious hackers and the compromise of personal information provided to these websites will continue to occur. To minimise the threat to you and your organisation, ACSC recommends you follow the advice provided by:
- Stay Smart Online
- Australian Signals Directorate Top Security Tips for the Home User
- US Computer Emergency Response Team Tips
If you believe your identity or personal information has been compromised online, you should report the activity through the Australian Cybercrime Online Reporting Network (ACORN).
Security researchers have uncovered vulnerabilities in a multimedia processing library that can expose devices running the Android operating system to malicious cyber activity.
More information and mitigation guidance is available from US CERT: Android Stagefright contains multiple vulnerabilities.
Users can also seek specific advice from their device manufacturer or telecommunications service provider.
ACSC releases first ever public national cyber threat report
ACSC releases first ever public national cyber threat report (PDF): New ACSC Co-ordinator Clive Lines said that the ACSC Threat Report 2015 (PDF) clearly demonstrates that the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. (Media release, July 2015)
New wave of ransomware targeting Australians
The ACSC has observed a new wave of Australia Post parcel collection and Australian Federal Police infringement notice themed ransomware emails targeting Australian governments, private industry and the public.
This activity appears to be a continuation of previous encrypting ransomware campaigns reported by the ACSC.
The ACSC advises organisations to be vigilant and adopt the recommendations detailed below to protect their systems and data.
Emails within this campaign are sent from multiple domains appearing to be from Australia Post or the Australian Federal Police. They typically contain a link to a malicious page that downloads an archived file that contains an executable (.exe). Multiple archive formats have been observed, including .zip, .rar and .7z files. Additionally, Microsoft Office documents containing macros that download the ransomware from file-sharing services have have been observed. Once executed, the ransomware encrypts the users' files, including those on networked or shared drives, making them inaccessible to the user until a ransom is paid. Please note that other domains and themes have also been associated with this significant campaign.
- The size of this campaign and continual use of new domains has reduced the effectiveness of domain blocking as a long-term solution. A more effective long-term solution is the implementation of the Australian Signal Directorate's Top 4 Strategies to Mitigate Targeted Cyber Intrusions, in particular, application whitelisting.
- End users should continue to remain vigilant when opening emails containing links, even if they appear to be from a legitimate Australian government or business domain.
- Ensure anti-virus and other detection products are up-to-date.
- Perform regular backups of data.
- Do not pay the ransom if your system is affected.
- Organisations may wish to consider running an education campaign for their staff regarding phishing emails in order to heighten user awareness. This training should include instruction on how users can report unusual or suspicious emails to their IT security team.
Organisations that become aware of illegitimate domains masquerading as part of their agency should engage with the hosting company and law enforcement to have the domain taken down.
In the short term, large organisations that are affected can notify potential users via a post on their website and the Australian Government's ScamWatch website.
Members of the public and small business can report ransomware at the ACORN website.
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.
Australian Government Cyber Security Review
The Prime Minister chaired Australia's first Cyber Security Summit with chief executive officers and chairmen on 8 July 2015 in Sydney. Over the past six months, the Cyber Security Review team has met with more than 180 organisations. This period of consultation and the summit will help shape the Australian Government's new Cyber Security Strategy.
Certified cloud services
An IRAP Assessment has been completed for several outsourced cloud computing services and certification awarded by the Australian Signals Directorate located within the ACSC.
The rigorous and detailed certification process for cloud service providers will help to give public sector users confidence in making the transition to new technologies and services.
The ACSC is pleased to be working in partnership with industry to ensure that there are a range of providers who can independently demonstrate that they meet the security needs of government in the cloud space.
While certification will assist organisations to understand the information security risks when contracting cloud computing services, organisations are urged to perform due diligence reviews of the financial, privacy, data ownership, data sovereignty and legal risks associated with contracting cloud computing services.
The list of providers and more information is available at ASD Certified Cloud Services.
Australian Cyber Security Centre Conference 2015
Partnering for a Cyber Secure Australia (PDF): ACSC co-ordinator's speech to the ACSC Conference 2015, Canberra, 22 April 2015
Social media account compromise
There has been recent media reporting around social media accounts being compromised and defaced. This is a growing occurrence, so it pays for organisations to be aware and build cyber resilience.
Organisations that suspect their social media accounts have been compromised should:
- Report the suspected compromise to the social media provider.
- Reset the account password.
- Contact the support services of the social media provider for information on securing their account.
Additional information on the use of social media can be found in ASD Protect Notice Security Tips for the Use of Social Media Websites.
New cyber security campaign focuses on everyday Australians
New cyber security campaign focuses on everyday Australians (PDF) (Media release, February 2015)
Associated content: ACORN, ACSC YouTube Channel
New choice for reporting cyber security incidents
New choice for Australian business and government to report cyber security incidents (PDF) (Media release, December 2014)