Information Technology

US online holiday sales grew by 30% in 2020, and Forrester forecasts that it will grow another 10% year over year in 2021. This growth raises the stakes for retail professionals to support the increased demand, which ultimately makes them a prime target for ransomware attackers. Why should retailers pay attention to ransomware preparedness? Ransomware attackers target organizations that need as close to 100% uptime as possible, since those businesses will feel the effects of a ransomware attack more viscerally and are more likely to pay a ransom quickly. Retailers and their providers fall right into this bucket: They rely on continuously running production, they must serve consumers constantly, and they often utilize just-in-time manufacturing. Furthermore, they often have several third-party dependencies they can’t disappoint and complex supply chains to manage. Every aspect of the retail supply chain is a potential target of attack. Since the holiday season guarantees retailers an increase in traffic and more emotionally-charged purchases, the incentive for ransomware groups to attack them is exacerbated now more than ever. Below, we provide a primer on ransomware attacks and how they can affect retailers. What is ransomware? Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It’s been used in very public attacks, like the one on Colonial Pipeline earlier this year, and attacks on hospital systems. This type of attack has become more common in part because of the emergence of ransomware-as-a-service (RaaS). RaaS is where attackers sell access to ransomware software as though they were operating a business, fully outfitted with salespeople, developers, managers, and marketers. They operate as a typical startup and sell access to their “product” on the dark web to cybercriminals who do not want to develop their own ransomware but still want to use it and get the payout. How does ransomware affect retailers? Ransomware attacks affect every aspect of the retail supply chain, especially in these five areas: suppliers, logistics, operations, products, and websites. Below are descriptions of how ransomware can affect each of these and real-world examples. 

Suppliers When ransomware attackers target suppliers, it often results in machines in factories being disabled or employees being locked out of critical supply systems. Once most suppliers discover a ransomware attack, the de facto response to contain the attack is to shut down facility operations indefinitely. This results in production bottlenecks, and customers scramble to use their alternative supplier. This kind of attack struck JBS Foods this year, shutting down its slaughterhouse for an entire day. To add insult to injury, JBS had to shell out $11 million in Bitcoin ransom to get its systems back. To gauge the resilience of your suppliers in a crisis, we recommend using The Forrester Supplier Resilience Assessment Tool. Logistics Logistics firms are targeted by ransomware groups because of their just-in-time business models and the complex interconnectedness of their IT systems. Ransomware attacks on these targets quickly infect computer systems throughout the network to encrypt as many devices as possible and render the firm inoperable. This happened over the past few years with CMA CGM, FedEx, and Maersk, which all halted operations and suffered millions in revenue loss. Operations When ransomware infiltrates a brick-and-mortar store, it tries to infect point-of-sale systems, employee tools, store printers — whatever it can get its hands on. These attacks can prevent customer transactions or even force stores to close. More detrimental for the brand is the risk that your customers will witness an attack unravel your operations in real time. For example, Cencosud was made aware of a ransomware attack hitting their systems when POS printers spewed out ransomware notes in its stores. Products Digital products such as e-readers, tablets, video gaming systems, and others are also susceptible to ransomware attacks. When hit, these devices may appear inoperable while the attacker steals company and customer data. This situation can be very detrimental for customers and organizations. When devices mysteriously stop working, customers often take to social media to air their grievances. This inevitably affects the external image of the brand and public perception of your product’s efficacy. When Barnes & Noble’s NOOK e-reader was attacked with ransomware, customers lost access to their libraries, purchases, and accounts — and complained on Facebook and Twitter as a result. Websites Ransomware attackers often look to target public assets — especially ones retailers rely on, like e-commerce websites. If your website shuts down from a ransomware attack, customers lose access to you, which may confuse or frustrate them and leave them concerned about the safety of their data. Last year, X-Cart’s e-commerce hosting site was corrupted, locking out store owners from their own websites and preventing customers from accessing them for days. How can you protect against ransomware attacks this holiday season? Protecting against ransomware attacks is something every single employee can participate in. Both during the holiday season and as you plan for your 2022 operations, the top three things we recommend to promote ransomware defenses among your employees are: Keep your team informed about the implications of a ransomware attack, especially around high-traffic times like the holidays. Make sure they know what ransomware is and are on the lookout for any signs of a potential ransomware attack. Get your employees to gamify finding phishing attacks and reporting them to your security team. Phishing attacks are one of the main ways cybercriminals start their attacks, so the more awareness you can spread about this attack vector, the better. Work with the security team to simulate what you would do in the event of a ransomware attack. Having a plan in place for how to respond when a ransomware attack happens is critical to having a quick and complete recovery. This blog post is part of Forrester’s holiday 2021 series, read more here.This post was written by Analyst Allie Mellen and it originally appeared here. More

It doesn’t rain, but it pours. Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector.

more coverage

You didn’t really want to take this weekend off, did you? Of course not! Instead, you’ll be chasing down vulnerable Log4j code ever deeper into your network. According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it’s even harder to detect this vulnerability and attacks using it.This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a “Shoot me now” kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don’t you love the word “silently” in this context? I know I do. WebSockets, for those of you who aren’t web developers, are in almost all modern web browsers. They’re commonly used for two-way communication functions such as website chat and alerts. They’re great at passing timely information back to the browser and allowing the browser to quickly send data back and forth. However, WebSockets have their own security risks. WebSockets aren’t restricted by same-origin policies like a normal cross-domain HTTP request. Instead,  they expect the webserver to validate a request’s origin. In short, they don’t come with much in the way of built-in security measures.As you’d guess from this, WebSockets have been used in attacks before. WebSockets have been used to attack cable modems by sending malicious requests. It’s also used by hackers for host fingerprinting and port scanning.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn’t need to be localhost. WebSockets allow for connections to any IP. Let me repeat, “Any IP” and that includes private IP space.Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook,  was the easiest path to a successful attack. Making detecting such attacks even harder, the company found “specific patterns should not be expected as it is easy to trigger traffic passively in the background.”Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. “When this happens, the vulnerable host calls out to the exploit server, loads the attacker’s class, and executes it with java.exe as the parent process.” Then the attacker can run whatever he wants. Indeed, they already are. As Anurag Gurtu, StrikeReady’s chief product officer, observed, “Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability. It’s the Khonsari ransomware gang that has built an attack using C# and the .NET framework. After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories including Documents, Videos, Pictures, Downloads, and Desktop. An AES 128 CBC algorithm is used for encryption, and the files are saved with a .khonsari extension.”They’re not the only ones. State-sponsored hackers from China, Iran, North Korea, and Turkey; Cobalt Strike; and many others are also exploiting Log4j vulnerabilities. This latest vulnerability simply opens the doors even wider for would-be attackers. It will only get worst before it gets better For as Sophos senior threat researcher Sean Gallagher recently explained to date, Log4Shell attackers have been focused on cryptomining, but this is just a “lull before the storm.”He continued, “We expect adversaries are likely grabbing as much access to whatever they can get right now… to monetize and/or capitalize on it later on. The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems.” After all, Gallagher concluded, “This vulnerability can be everywhere.”What can you do about this? Blumira suggests the following:Update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further. This includes moving any custom applications in their dependency manifests to 2.16 as soon as possible to avoid incidental exploitation. You should also look closely at your network firewall and egress filtering. The mission here is to restrict the callback required for the actual exploit to land. Significantly limiting the egress traffic of your endpoints will reduce the risk as you patch your applications. In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports.  All other ports should be blocked. Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. Good luck, get back to work hunting down Log4j libraries and calls and hope that you get as much of your infrastructure as you can batten down before the holidays. Related stories: More

The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency directive on Friday, requiring federal civilian departments and agencies to immediately patch their internet-facing network assets for the Apache Log4j vulnerabilities. If they can’t patch, they’re required implement other appropriate mitigation measures.  CISA previously said federal civilian agencies would have until December 24 to address the issue, but it noted that the latest directive “is in response to the active exploitation by multiple threat actors of vulnerabilities found in the widely used Java-based logging package Log4j.”

more coverage

CISA Director Jen Easterly said they are urging organizations of all sizes to also assess their network security and adapt the mitigation measures outlined in the emergency directive.  If you are using a vulnerable product on your network, Easterly said you should consider your door wide open to any number of threats.  “The Log4j vulnerabilities pose an unacceptable risk to federal network security,” Easterly explained. ”CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.” According to CISA, the directive was handed down because these vulnerabilities are currently being exploited by threat actors. CISA’s investigations showed just how prevalent the affected software is in the federal enterprise.  CISA said there is a “high potential” for a compromise of agency information systems and expressed concern about the impact of a breach. 

VMware head of cybersecurity strategy Tom Kellermann said the exploitation of the Log4j vulnerability allows for full control of the target system that is running Apache.  “So they have the capacity to just be on missions and spy on the activities of the users of the systems. They have the capacity to use that system to island-hop into other systems. They have the capacity to become disruptive. It really varies,” said Kellermann, who served as a cybersecurity commissioner for the Obama administration. “I would say that there is so much activity going on right now, that it’ll probably weeks, if not months, before the true scope of this significant cybercrime wave for this vulnerability and the severity of its impact is discovered.” CISA created a dedicated webpage with Log4j mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services.     CISA added the Log4j vulnerability, alongside 12 others, to its Known Exploited Vulnerabilities Catalog. It created the list last month as a way to provide government organizations with a catalog of vulnerabilities organized by severity. Using their honeypot network to attract attackers, cybersecurity firm Bitdefender found that their honeypots were attacked 36,000 times from Dec. 9 to Dec. 16. Half of all attacks used TOR to mask true country origin and were based on endpoint telemetry. The lead countries of origin for attacks were Germany at 34% and the US at 26%.  Bitdefender added that based on endpoint telemetry, the lead attack targets are the US at 48%, followed by the UK and Canada both at 8%. More

The remotely exploitable flaw in Log4j – the widely deployed Java error logging library — is being attacked by multiple actors and likely will remain so for many more months as open-source projects, product vendors, and end-user organisations patch affected systems. Google is now adding OSS-Fuzz to the pool of answers to the internet-wide Log4j flaw, also known as Log4Shell. The bug is tracked as CVE 2021-44228 and was partially fixed in Apache Foundation’s release of Log4j version 2.15.0 last week. OSS-Fuzz is Google’s free service for fuzzing open-source software projects and is currently used by over 500 critical projects. Fuzzing involves throwing random code at software to produce an error, like a crash, and uncover potential security flaws. LOG4J flaw coverage — What you need to know now:To seek out Log4Shell weaknesses in newly built open-source software, Google is partnering with security firm Code Intelligence to provide continuous fuzzing for Log4j. Code Intelligence makes Jazzer, an open-source fuzzing engine that’s now part of OSS-Fuzz, and has been modified to identify Log4j vulnerabilities in code in development. Google awarded Code Intelligence $25,000 for its work on the Log4j fuzzing.  “Since Jazzer is part of OSS-Fuzz, all integrated open-source projects written in Java and other JVM-based languages are now continuously searched for similar vulnerabilities,” Code Intelligence notes in a press release. Jazzer is also capable of detecting remote JNDI lookups — a strong sign that potential attackers are scanning a network for the flaw. 

JNDI (Java Naming and Directory Interface) is an interface for connecting to directories in Lightweight Directory Access Protocol (LDAP) servers, and the flaw in Log4j is found in its implementation of JNDI. As Cisco’s Talos researchers explain, the flaw allows a remote attacker to use a simple LDAP request to trigger the vulnerability in pre-2.15 versions of Log4j, then retrieve a payload from a remote server and execute it locally on a vulnerable device. Apache Foundation this week released Log4j version 2.16.0 to fix a second related flaw stemming from JNDI that’s being tracked as CVE 2021-45046. That flaw allowed an attacker to craft data patterns in a JNDI message lookup and cripple a machine with a denial of service (DoS). Log4j 2.16.0 disables access to JNDI by default and limits the default protocols to Java, LDAP and LDAPS. Disabling JNDI was previously a manual step to mitigate attacks against the original flaw. Most efforts are now focussed on vendors updating Log4j in their products and end-user organisations applying updates as they become available. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies until 24 December to identify all applications affected by Log4Shell. Cisco, VMware, IBM and Oracle are busy developing patches for their affected products. LOG4J flaw coverage — How to keep your company safe:  Google’s OSS-Fuzz tackles Log4j from another angle, aiming to prevent developers from accidentally inserting the flaw in new software projects that may eventually be deployed in production environments. “Vulnerabilities like Log4Shell are an eye-opener for the industry in terms of new attack vectors. With OSS-Fuzz and Jazzer, we can now detect this class of vulnerability so that they can be fixed before they become a problem in production code,” says Jonathan Metzman from the Google Open Source Security Team. More

Over half a million Android users have installed an app used to deliver Joker malware after downloading it from the Google Play store. Cybersecurity researchers at Pradeo identified the malware, which Google has now removed from its official Android app marketplace. Before its removal, the app, called ‘Color Message’, was downloaded by more than 500,000 Android users.

ZDNet Recommends

Advertised as an app that allowed users to personalise their default SMS messages, Color Message was a front to deliver Joker, one of the most prolific forms of Android malware. SEE: A winning strategy for cybersecurity (ZDNet special report)  Once installed, the malware does three things: it simulates clicks in order to generate revenue from malicious ads; subscribes users to unwanted paid premium services to steal money and commit billing fraud; and accesses users’ contact lists and sends the information to attackers. Researchers suggest there’s evidence that stolen information is sent to servers hosted in Russia. Negative reviews of the app on the Play Store suggest that some users have noticed the unauthorised behaviour, with complaints about being charged for services they didn’t request access to. Google Play has protocols designed to stop malicious apps from being published. However, the developers of the malicious app managed to bypass them.

“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” said Pradeo’s Roxane Suau. Users who have downloaded Color Message from the Google Play Store have been urged to uninstall the app immediately. This is far from the first time Joker has been detected in the Play Store – Pradeo says it has been found in hundreds of apps in the past two years, but given how persistent those are behind it, it’s likely they’ll try to distribute the malware again. ZDNet has contacted Google for comment – a spokesperson confirmed that the malicious app has been removed from the Play Store.
MORE ON CYBERSECURITY More

The holiday season is shaping up to be busy for those patching systems affected by the critical flaw in the Log4j Java application error logging library. IBM has confirmed several of its major enterprise products are affected by the Log4j bug. On Thursday, the company confirmed that the IBM Db2 Warehouse, which uses Log4j, allowed a remote attacker to execute arbitrary code on the system. Log4j is used in the Db2 Federation feature. IBM has released a special fix pack and mitigation notes for Db2 version 11.5 systems that are vulnerable if certain Federation features are configured. Since Wednesday, IBM has released Log4j fixes for over a dozen cloud products, spanning security and identity, analytics, databases, managed VMware services, and Watson AI products. It has also released fixes for 20 on-premises IBM products for Cognos business intelligence, Power hardware, WebSphere, Watson, and more. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW IBM is continually updating the list of products affected by the flaw and those it has confirmed are not impacted.  Dozens of Cisco products are affected by Log4j, too. On Friday, Cisco will release numerous firmware and hotfix updates that address the flaw, followed by more updates scheduled over the weekend and over the following week through to 24 December.  Products scheduled for updates on Friday include Cisco Identity Services Engine, DNA Spaces Connector, Cisco BroadWorks, and Cisco Finesee. On Saturday, it will release updates for several more products including Cisco Contact Center Domain Manager (CCDM), Cisco IOx Fog Director, Cisco Contact Center Management Portal (CCMP), Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition, Cisco Video Surveillance Operations Manager, and Cisco Connected Mobile Experiences (CMX).   VMware is also updating its list of affected products, most of which are badged as ‘critical’ with a CVSS severity score of 10 out of 10, and currently marked as ‘patch pending’. Where patches are not available, VMware is updating its recommended mitigations to factor in updates addressed by Apache Foundation’s Log4j version 2.16 release, which addressed the incomplete patch it initially released last week.

VMware had over 100 products affected by the bug popularly known as Log4Shell, and tracked as CVE 2021-44228. But the virtualisation giant has also released a patch to address a critical non-Log4j Server Side Request Forgery (SSRF) vulnerability in its Workspace ONE Unified Endpoint Management (UEM) console. Tracked as CVE-2021-22054, this flaw would allow an attacker with network access to UEM to “send their requests without authentication and may exploit this issue to gain access to sensitive information”, according to VMware’s advisory.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW  The vulnerability got a CVSS score of 9.1 out of 10, and so should be added to the list of priorities for patching before the Christmas break. The bug affects the 2105, 2012, 2011, and 2008 versions of the Workspace ONE UEM console.  The Cybersecurity and Infrastructure Security Agency and the White House yesterday warned organisations in the US to beware of cyberattacks during the holiday season. Cyber criminals frequently launch major ransomware attacks on public holidays to take advantage of skeleton staffing. CISA has instructed federal agencies to identify all applications affected by the Log4j flaw by 24 December.  CISA has published a list of vendors and products affected by the Log4Shell flaw. The Netherlands cybersecurity agency is also updating a list of affected products and vendors, which it published earlier this week. More

There’s never a good time for an organisation to fall victim to a ransomware attack, but for Matthew Day, CIO of Langs Building Supplies, a phone call on May 20, 2021 came at perhaps the worst possible time – before dawn, just as he was about to take time off for the first time in a long time. “I was going on my holidays. But I got a phone call at four o’clock in the morning, saying basically ‘I can’t log in, what’s going on?'” he says. Day got up and made the 30-minute drive to his office in Brisbane, Australia where the construction, building supplies and home-building company is based, all the while thinking about what the problem could be, perhaps a hardware failure or an unplanned outage? 

ZDNet Recommends

The answer became obvious when he arrived and tried to bring up the systems – a ransom note appeared and said: “You’ve been hacked.” SEE: A winning strategy for cybersecurity (ZDNet special report) Langs had fallen victim to Lorenz ransomware and the cyber criminals who had encrypted multiple servers and thousands of files were demanding a payment of $15 million in Bitcoin in exchange for the decryption key. Like many ransomware attacks, the cyber criminals also said they’d stolen information and threatened to leak it if the ransom wasn’t paid. “The reality is that’s a pretty scary proposition – but we were quickly able to isolate the attack and disconnect it from the network,” says Day.

He suspects that Langs was specifically targeted by the criminals behind the attack because of the nature of the business. At the time, the Queensland government was operating a response plan to keep the trade and construction industries in business, while much of Australia was still facing lockdown because of COVID-19. And if a building supplier like Langs was unable to do business, that could affect the whole programme for the regional construction industry. “It’s a macro-level event – it’s not just limited to Langs because if we can’t supply a builder their goods because we’re offline, they can’t build that house. That just ratchets up more pressure,” he says. Many victims of ransomware opt to pay the ransom, either because they feel they don’t have any other choice or they perceive it as the easiest way to restore the network – although, even with the decryption key, it can be a long, drawn-out process. For Langs and Day, however, the idea of paying the ransom wasn’t an option – and they had recovery software that allowed them to analyse what data had been encrypted or modified and restore the network from backups stored separately to the rest of the network within a matter of hours, with minimal disruption to services. “I was pretty confident about the data side of things – we use Rubrik. We make sure it’s got multi-factor authentication (MFA) on it and doesn’t have any shared credentials, so it’s a walled garden,” says Day. “These people immediately want to go after your backups because that ratchets up pressure, so if they can’t get to your backups, you’re in a good place.” But this didn’t stop the cyber criminals from attempting to extort a ransom payment – they emailed all the staff at Langs, claiming they’d stolen data and threatened to sell it on the dark web if a payment wasn’t received by a particular date. While 13 gigabytes of data had left the network, it turned out to be ping traffic, so nothing that could be a security or privacy risk to Langs’ customers or employees. Receiving the emails was a shock to staff, but Day was able to explain the situation and reassure people that, even though cyber criminals had contacted them, there was nothing to worry about. “You’ve got to communicate with people, explain it to them. We were able to show the business that they’re [the cyber criminals] playing chicken and we’re not going to blink first. So we didn’t pay the ransom, the day came – and nothing happened,” says Day. The investigation into the incident revealed that hackers initially gained access to the network via a phishing email. But this wasn’t a run-of-the-mill basic phishing email; the attackers had done their research and sent it to a Langs employee from the legitimate email account of a real employee at a supplier that they’d already compromised. SEE: Cloud security in 2021: A business guide to essential tools and best practices Langs had set up allow lists to verify emails coming from known suppliers – and the attackers were able to take advantage, after examining emails sent and received by the compromised account and specifically tailoring the email that was sent to victims who opened it and unintentionally triggered the attack. “They responded to an order that we had sent them in the exactly correct manner; this was a really smart play for these guys. It came from a verified account, from a person at a time and in a way that was expected by the user, my staff member, with the correct formatting and quoted the correct valid number, so it wasn’t a fake account, it wasn’t a spoofed account, it was the real deal,” explains Day. The email asked the user to visit a portal that looked exactly like the website of the supplier, except this one asked for a username and password – and because the victim had been duped into thinking they were responding to a message from a legitimate contact, they entered the information, inadvertently providing cyber criminals with login credentials that they exploited for initial access to the network. But Day doesn’t place blame on the user, because the sophisticated and targeted nature of the phishing email means it would be difficult for most people to identify it as a suspicious message. “We can land planes, 99.9995% of the time, no worries, but it only takes that one decimal place to cause a massive incident, and this is no different – so I can’t be too hard on my user for falling for this, because it looked legit,” he says. That initial access with legitimate credentials allowed the attackers to snoop around the network without being noticed, laying down the foundations to encrypt as much as possible before triggering the ransomware attack. The data recovery and backup software meant that the impact of the ransomware attack was relatively mild, but it could have been much worse – and Day used the incident to examine how cyberscurity at Langs could be improved. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) One of those tactics was ensuring that multi-factor authentication (MFA) was applied to a wider range of accounts. Day had previously pushed for it to be applied to users, but it was seen as a barrier to productivity. Looking back, he believes if the company had listened to his advice and applied multi-factor authentication, the attack could have been prevented from happening. “I should have stuck to my guns more about external access and MFA. Because we’ve been talking about it for quite a while and I was pushing for it, but the company pushed back because it was seen as an onerous burden on the users; one more thing that they have to learn and deal with,” Day says. “If I’d had MFA, we could have stopped this particular attack in its tracks and I’m happy to say we can now have MFA on those external desktops.” The way in which the attack originated via the compromised email of a supplier has also resulted in Langs taking a more hands-on approach to the security of its supply chain, helping the suppliers and customers it deals with most to make their networks more resilient to cyberattacks. “We don’t exist in our own little bubble, our bubble has to include our customers and suppliers in that supply chain life-cycle and make sure we secure it end to end,” Day explains. Ransomware is one of the most significant cybersecurity threats facing businesses today, but even when organisations successfully fight off a ransomware attack without paying a ransom to cyber criminals, few are willing to talk about what happened. So, why is Day willing to speak about it when so few others are? “Talking about it is a bit of an ‘up yours’ thing. I also want to empower other people to speak out about these things. If I speak about it, nothing bad happens – it just encourages other people to do it,” he says. Day hopes speaking about the incident, how it happened and what was learned can help other businesses defend against ransomware, and crucially, help them persuade boardrooms about the importance of taking cybersecurity threats seriously. “If, by coming forward and talking about these things, I encourage another CIO, IT manager or IT professional to go and have a conversation about how to protect their data, how they handle data governance, or cybersecurity planning and processes, so that they can protect the livelihoods of their their employees and their colleagues, it feels better,” he says.
MORE ON CYBERSECURITY More

IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational.”The company’s incident response team added it has been reviewing what data was stolen due to the incident. “Following conclusion of this investigation, we will take steps to immediately contact any impacted stakeholders/individuals in accordance with our privacy obligations. Early indications suggest that only a relatively small number of individuals are impacted,” it said. Finite Recruitment is listed on a leak site as one of the victims of the Conti ransomware for the purposes of double extortion. The listing shows the attackers claimed to have stolen more than 300GB of data, including financial data, contracts, customer databases with phone numbers and addresses, contracts with employees’ passport details, phone numbers, mail correspondence, and other information. The recruitment firm currently provides casual support staff to several agencies across the NSW government.  

“The Department of Customer Service is aware of an incident impacting Finite Recruitment’s IT environment and has engaged with the company on the issue,” a NSW Department of Customer spokesperson told ZDNet.”The incident has not impacted any NSW government agencies or services.” Just last week, the South Australian government confirmed the state government employee data was exfiltrated as part of a ransomware attack on payroll provider Frontier Software. Treasurer Rob Lucas said the company informed government that some of the data have been published online, with at least 38,000 employees and up to 80,000 government employees possibly having their data accessed.   The data contained information on names, date of birth, tax file number, home address, bank account details, employment start date, payroll period, remuneration, and other payroll-related information.Since November, Queensland government-owned energy generator CS Energy has been battling with a Conti infection on its corporate network. In an update provided last week, the company said it was continuing to progressively restore its systems.Related Coverage More