Information Technology

Security company Check Point Research has uncovered a hacking campaign that involves cyberattackers impersonating Iranian government bodies to infect the mobile devices of Iranian citizens through SMS messages. The SMS messages urge victims to download Android applications related to official Iranian services, such as the Iranian Electronic Judicial Services. The first messages typically claim that a complaint has been filed against the victim and that an application needs to be downloaded in order to respond. Once downloaded, the applications allow hackers to access the victim’s personal messages. Victims are asked to enter credit card information in order to cover a service fee, giving attackers access to card information that can now be used. With access to a victim’s personal messages, the attackers can also get past two-factor authentication. Check Point Research said the campaign is ongoing and is being used to infect tens of thousands of devices. In addition to the Check Point report, Iranian citizens have taken to social media to complain about the scams. Some Iranian news outlets are also covering the issue. “The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. CPR attributes attacks to threat actors, likely in Iran, who are financially motivated,” the cybersecurity company explained. “CPR estimates tens of thousands of Android devices have fallen victim, leading to theft of billions of Iranian Rial. Threat actors are using Telegram channels to transact malicious tools involved for as low as $50. CPR’s investigation reveals that data stolen from victims’ devices has not been protected, making it freely accessible to third parties online.”Check Point’s Shmuel Cohen said in one campaign, more than 1,000 people downloaded the malicious application in less than 10 days. Even if they did not enter credit card information, their device became part of the botnet. 
Check Point Research

Alexandra Gofman, threat intelligence team leader at Check Point, told ZDNet that the attacks appear to be a form of cybercrime and not attributed to any state-backed actors.The velocity and spread of these cyberattacks are unprecedented, Gofman said, adding that it is an example of a monetarily-successful campaign aimed at the general public. “The campaign exploits social engineering and causes major financial loss to its victims, despite the low quality and technical simplicity of its tools. There are a few reasons for its success. First, when official-looking government messages are involved, everyday citizens are inclined to investigate further, clicking the provided link,” Gofman said. “Second, due to the botnet nature of these attacks, where each infected device gets the command to distribute additional phishing SMS messages, these campaigns spread quickly to a large number of potential victims. Although these specific campaigns are widespread in Iran, they can take place in any other part of the world. I think it’s important to raise awareness of social engineering schemes that are employed by malicious actors.”Check Point explained that the cybercriminals behind the attack are using a technique known as “smishing botnets.” Devices that have already been compromised are used to send SMS messages to other devices. The people behind the technique now offer it to others on Telegram for up to $150, providing anyone with the infrastructure to launch similar attacks easily. Even though Iranian police were able to arrest one of the culprits, there are dozens of different cybercriminals in Iran using the tool now. The company estimates that about $1,000 to $2,000 has been stolen from most victims. The attackers are also offering the personal information that was stolen to others online. Gofman added that the general population of Iran is now in a situation where cyberattacks significantly impact day-to-day lives. These attacks began with railways, Gofman said, noting that the company traced that attack to a group called Indra. “The attacks continued with gas stations, and then the national aviation company. Now, we’re seeing yet another cyberattack that shows how even pure cybercrime can make headlines and chaos, hurting many in Iran,” Gofman said. “Although we do not see a direct connection between these latest cyberattacks and the major aforementioned attacks, our latest insights show how even unsophisticated cyber attacks create significant damage on Iran’s general population.” More

Microsoft has announced the seizure of dozens of domains used in attacks by the China-based APT group Nickel on governments and NGOs across Europe, the Americas and the Caribbean. In two blog posts published on Monday, Microsoft vice president Tom Burt, the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center said they have been tracking Nickel since 2016 and that a federal court in Virginia granted the company’s request to seize websites the group was using to attack organizations in the US and and other countries.Burt explained that on December 2, the company filed lawsuits in the US District Court for the Eastern District of Virginia that would allow them to “cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks.” “We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations,” Burt said. “The court quickly granted an order that was unsealed today following completion of service on the hosting providers. Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
Microsoft
The attacks — which involved inserting hard-to-detect malware that enabled intrusions, surveillance and data theft — targeted organizations in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the UK, US and Venezuela.The Microsoft Threat Intelligence Center found that sometimes, Nickel was able to compromise VPN suppliers or obtain stolen credentials while in other instances, they took advantage of unpatched Exchange Server and SharePoint systems.

The company noted that no new vulnerabilities in Microsoft products were used as part of the attacks. But once attackers were inside of a network, they looked for ways to gain access to higher-value accounts or other footholds in the system. Microsoft said they saw Nickel actors using Mimikatz, WDigest, NTDSDump and other password dumping tools during attacks.”There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including ‘KE3CHANG,’ ‘APT15,’ ‘Vixen Panda,’ ‘Royal APT’ and ‘Playful Dragon,'” Burt explained. “Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace.” Burt added that so far, Microsoft has filed 24 lawsuits that allowed them to take down more than 10,000 malicious websites from cybercriminals and almost 600 from nation-state groups. Jake Williams, CTO of BreachQuest, noted that the techniques used by Nickel after initial access are fairly pedestrian, while many of the other tools are readily available and widely used by penetration testers. “While NICKEL certainly has access to tools that are far more capable, they turn back to these commonplace tools because they work,” Williams said. “That these readily available tools can operate at all speaks to the level of security in target networks.” More

Crypto trading platform BitMart released an update on the devastating security breach that caused about $200 million in losses, writing on Monday that the breach was “mainly caused by a stolen private key that had two of our hot wallets compromised.”

On Saturday, the platform said a security breach allowed hackers to withdraw $150 million worth of cryptocurrency. Blockchain security company PeckShield said the losses were actually around $196 million, with about $100 million in various cryptocurrencies coming from Ethereum blockchain and $96 million coming from currencies on the Binance Smart Chain. BitMart suspended withdrawals on December 4 after securing the affected Ethereum and Binance Smart Chain hot wallets.”Other assets with BitMart are safe and unharmed. BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps,” the company said on Monday. “No user assets will be harmed. We are now doing our best to retrieve security set-ups and our operation. We need time to make proper arrangements and your kind understanding during this period will be highly appreciated. In terms of asset deposit and withdrawals, we are confident that deposit and withdrawal functions will gradually begin on December 7, 2021.” BitMart CEO Sheldon Xia will hold a press conference on Monday night to discuss the breach and how those affected will be compensated. CNBC reported that the hackers behind the attack used 1inch and Tornado Cash to exchange the stolen coins for other cryptocurrencies and make it more difficult to be tracked.   

Hackers have repeatedly attacked cryptocurrency and DeFi platforms over the last year. Just last week, cybercriminals stole about $120 million from DeFi platform Badger. 

Paul Bischoff, privacy advocate with Comparitech, told ZDNet that the BitMart hack is the sixth-largest cryptocurrency heist of all time by amount of funds lost and the second big crypto heist this month that made the top 10. Several headline-grabbing hacks have taken place this year, including thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September.Comparitech keeps a running list of attacks on cryptocurrency platforms and DeFi companies, which include the 2018 hack on Coincheck that involved $532 million and the Mt. Gox attack involving $470 million. In May, about $200 million was stolen from the PancakeBunny platform. “Although blockchains are reasonably secure and reliable, the same isn’t always true for the exchanges where people buy, sell, and trade crypto. Exchanges, even though they function like banks, are not insured (e.g. by the FDIC). If the exchange loses assets that belong to its customers via an external hack or inside job, customers might have no recourse to recover their funds,” Bischoff said.”It’s difficult for customers to know which exchanges have sufficient security and make an informed choice. An exchange that operates 10 years without a security incident can still be crippled and put out of business by a single large-scale heist.”The Record also keeps a tally of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, Cream Finance, EasyFi, bZx and many other platforms. 

Tech Earnings More

On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.

ZDNet Recommends

DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry. The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary. In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.””Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.” The senators additionally claimed that current practices are “working well.”

When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required. “Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system,” Williams said. “Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security.”Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego. “There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period,” Williams noted. Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams’ concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole, and a fibre optic run is severed — connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether” Brash noted. “I hope neither occurs as that is counterproductive to the spirit of the objective and may discourage proactive action. If Biden’s XO for SBOMs and supply chain transparency overflow into rail and transportation, organizations will need accelerated security program growth and maturity yesterday. This is both a good thing and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation.” He also said overly prescriptive approaches may result in too rigid of a structure and focus on the wrong elements, leading to a checkbox ticking exercise versus actual efforts to reduce cybersecurity risk.Amir Levintal, CEO of rail cybersecurity company Cylus, said the rail industry has made significant technological advances in the last decade, with digitization helping companies improve service, efficiency, comfort, communications, and more. But these efforts have also expanded the rail industry’s threat landscape for hackers, Levintal said.  “The TSA’s new directives, which require railways to bolster their cybersecurity measures, come as a direct response to the innovations the rail industry has onboarded recently and the resulting threats, and these regulations — along with similar ones in the EU — will only evolve as new technologies continue to be adopted across the planet,” Levintal explained. Despite the concerns about the new reporting requirements, some experts said the rail industry’s cybersecurity risks outweighed worries about overzealous reporting. Coalfire vice president John Dickson said that the potential for disruption is high given existing supply chain bottlenecks and the nature of rail networks. He noted that one or two key rail lines service entire regions of North America that are vulnerable to disruption and might cripple the US economy like the Colonial Pipeline event almost did. “We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario. Ransomware specifically, and malware automation generally, has lowered the bar so significantly for attackers that DHS CISA should be concerned and is well served to push the industry more,” Dickson said. “The railroad industry, particularly the freight portion of the railroad industry, is generally not considered to be on the bleeding edge of cybersecurity. It’s doubtful that without a regulatory ‘nudge’ from the Federal government, they are likely to not increase their cybersecurity hygiene on their own accord.”Padraic O’Reilly, chief product officer of CyberSaint, called the new rules a “good and timely development” that is “long overdue” because the rail industry is a vulnerable piece of the US critical infrastructure.With the 24-hour reporting requirement as the baseline, the industry will be moved on to the right track, O’Reilly explained, adding that it was good that government agencies had consulted groups like the Association of American Railroads (AAR) before releasing the regulations. The AAR said they and other rail industry groups had been consulting with Secretary of Homeland Security Alejandro Mayorkas and the TSA since October to “revise provisions that would have posed challenges in implementation.”The group said that with the latest regulations, “a number of the industry’s most significant concerns have been addressed.” All Class I railroad and Amtrak, as well as many commuter and short line carriers, already have chief information security officers and cybersecurity leads who will serve as the required cybersecurity coordinators, according to the AAR.Many companies also conduct cybersecurity assessments on a recurring basis and have been reporting some cyber threats to CISA through AAR’s Railway Alert Network (RAN). “For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”  More

A cyber attack has forced supermarket chain Spar to close some of its UK stores.The retailer, which has 2,600 locations in the UK, said has been hit by what it describes as an “online attack” leaving some stores without the ability to take payments by card.”There has been an online attack on our IT systems which is affecting stores’ ability to process card payments, meaning that several Spar stores are currently closed. We apologise for any inconvenience, we are working as quickly as possible to resolve the situation,” Spar UK said in a tweet sent to customers asking why branches of the store in areas of the country, including Yorkshire and Lancashire, were closed.Some stores appear to have been suffering issues since Sunday, meaning that this is a multi-day incident and one customer commented that stores with accompanying petrol stations were closed.It’s currently unclear what sort of “online attack” has forced the stores to close but a Spar spokesperson confirmed that a number of stores have been affected by a cyber attack against James Hall & Co Ltd, a business which supplies Spar stores across the North of England.”James Hall & Company are currently aware of an online attack on it’s IT system. This has not affected all SPAR stores across the North of England, but a number have been impacted over the past 24 hours and we are working to resolve this situation as quickly as possible,” said a Facebook post by Spar Oswaldtwistle. ZDNet has attempted to contact James Hall & Co but hasn’t received a response at the time of publication. The website of the company is also down at the time of writing. 

“We are aware of an issue affecting Spar stores and are working with partners to fully understand the incident,” an NCSC spokesperson told ZDNet. “The NCSC has published guidance for organisations on how to effectively detect, respond to, and resolve cyber incidents.”MORE ON CYBERSECURITY More

A Russian-government back hacking group linked to the SolarWinds supply chain attack has developed new malware which has been used to conduct attacks against businesses and governments in North America and Europe in a campaign designed to secretly compromise networks, steal information, and lay down foundations for future attacks.  The attacks also involve the compromise of multiple cloud and managed service providers as part of a campaign designed to enable the hackers to gain access to clients downstream from the vendors in supply chain attacks.  The wide-ranging campaign has been detailed by cybersecurity researchers at Mandiant who’ve linked it to two hacking groups they refer to as UNC3004 and UNC2652.   Mandiant associates these groups with UNC2452 – also known as Nobelium in reports by Microsoft – a hacking operation that works on behalf of the Russian Foreign Intelligence Service and behind the cyber attack against SolarWinds. However, while each of these hacking operations works out of Russia and appear to share similar goals, researchers can’t say for certain that they’re all part of one unit.  “While it is plausible that they are the same group, currently, Mandiant does not have enough evidence to make this determination with high confidence,” said the report.  The newly detailed campaigns include the use of a custom-developed malware downloader which researchers have called Ceeloader. 

Written in the C programming language, the malware decrypts shellcode payloads to be executed in the memory of the victim Windows machine, enabling the distribution of further malware. Ceeloader hides from detection with the use of large blocks of junk code which makes the malicious code undetectable to anti-virus software.   “An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling,” the report said. SEE: A winning strategy for cybersecurity (ZDNet special report)  It isn’t clear how Ceeloader is distributed, but it provides a stealthy gateway for further malicious activity.  Other tactics which the attackers use include the abuse of the legitimate penetration testing tool Cobalt Strike to place a backdoor on the compromised system which can be used to execute commands and transfer files, as well as providing a keylogger that can be used to steal usernames and passwords.  In addition to the deployment of malware, the attackers have compromised targets via cloud services.  Like other Russia-linked hacking campaigns, these attacks also target remote desktop protocol (RDP) log-in credentials.  But no matter how the network was compromised, the organisations under attack appear to align with those targeted in previous campaigns attributed to the Russian state.  “We have seen this threat actor ultimately target government entities, consulting organisations, and NGOs in North America and Europe who directly have data of interest to the Russian government. In some cases, they first compromised technology solutions, services, and reseller companies in North America and Europe that have access to targets that are of ultimate interest to them,” Douglas Bienstock, manager of consulting at Mandiant told ZDNet.   For the attackers, targeting cloud service providers via the new and existing methods of compromise detailed by the report remains one of the key methods of compromising a wide range of organisations. By compromising the supplier, they have the potential to gain access to systems of customers.  Incidents like the SolarWinds supply chain attack attributed to the Russian state, plus cybercriminal activities like the Kaseya supply chain compromise and ransomware attack have demonstrated what a powerful tool this can be for hostile cyber campaigns – which is why cloud providers and their services remain a prominent target.  “By compromising the environment of a single cloud service provider, the threat actor may be able to access the networks of multiple organisations they are interested in that are customers of that provider. In this way, the threat actor can focus their efforts on a small number of organisations and then reap large rewards,” said Bienstock.  Mandiant researchers say they’re aware of a few dozen organisations who’ve been impacted by campaigns in 2021 and in cases where they’ve been compromised by any attackers, steps have been taken to notify them.  It’s expected that the Russia-linked hackers – and other offensive cyber operations – will continue to target organisations, supply chains, and cloud providers around the world. Mandiant has previously released advice on hardening networks against attacks, which includes enforcing multi-factor authentication across all users. 
MORE ON CYBERSECURITY More

In its latest annual Data Breach Industry Forecast released Monday, credit bureau and information services company Experian said that it has identified five areas it believes cybercriminals will find opportunities to exploit in 2022. The findings were made based on the observation that as people throughout the world become more digitally connected online than ever before, thanks in part to the global pandemic, so too is the potential for institutions, infrastructures, and personal lives to be more exposed to cybercriminals. “Big institutions remain vulnerable, despite spending millions on security, and cybercriminals have plenty of opportunities to exploit weak technologies,” the report said.

Experian identified five top data breach trends to expect in 2022: 1. Digital assets Digital assets, such as cryptocurrencies and non-fungible tokens, or NFTs, will become greater targets of attack as society accepts them as legitimate parts of the financial and technological landscape. This prediction couldn’t have come at a better time as crypto-currency exchange BitMart reported over the weekend that hackers sole about $150 million worth of tokens from its so-called “hot wallets.” Blockchain security and data analytics company PeckShield, which first noticed the breach, estimated that BitMart’s loss was closer to $200 million: $100 million on Ethereum and $96 million on Binance Smart Chain.2. Natural disasters Natural disasters will prompt people to donate more to aid organizations online, resulting in both donors and people in distress becoming more prone to phishing attempts from groups disguised as charitable organizations. To complicate things further, Experian said unreliable global supply chains will make the sourcing of emergency goods more difficult, which will provide another opportunity for online thieve to take advantage.3.  Remote workers Remote workers will be targets of data thieves who are looking to hack into businesses and institutions. The report said that because home wireless networks are more vulnerable than many business VPNs, companies will need to focus more on security compliance from their employees. “Employees will need training on matters like how to spot a phishing attempt, or how to respond to a ransomware attack,” according to the report.4. Physical infrastructure landmarks 

Physical infrastructure landmarks, such as electrical grids, dams, and transportation networks, will be greater targets by hackers, both foreign and domestic, who will attempt to steal some of the trillions of dollars Congress approved under the Biden infrastructure bill. Experian said that these bad actors will attempt to steal during the process of fund disbursement using a variety of scams from phishing to CEO fraud. “The sums are so large, and their distribution involves so many institutions and processes – from Treasury vendors to banks, to individual contractors – that hackers will be probing for weaknesses in the money supply chain,” the report said.5. Online gambling scams

As online sports betting becomes legalized in more states, phishing scams will target online gamblers, especially those who are new to online betting. And as online gambling becomes more legal, online scammers will be harder to detect. Experian predicts that common forms of thievery will include gambling using stolen credit card info, hijacking an account either through hacking or correctly guessing a password, or impersonating a legitimate online casino. Experian also noted that as cryptocurrency becomes more popular in online gambling, and more sites incorporate it for ease of use, hackers will attempt to break into digital wallets.Data breaches remain a strong threat. In a recent report by the Identity Theft Resource Center, there have been 1,291 data breaches in 2021, as of September 30, 17% more than the 1,108 breaches reported during all of 2020.”Cybercriminals have honed in on pandemic disruptions this past year so security professionals need to shore up security protocols and have data breach response plans in place – especially for ransomware – should a breach occur,” said Michael Bruemmer, global vice president of Experian Data Breach Resolution who published the report. “Businesses must increase their focus and move past simply catching up to the ‘new normal in how they operate,” he added. More

Firms in Australia’s financial market have continued to be resilient against cyber threats, with improvement rates in cyber resiliency remaining steady, the Australian Securities and Investment Commission (ASIC) reported on Monday.This finding was published in the corporate regulator’s latest report [PDF], which compiled trends from self-assessment surveys completed by financial markets firms. The report, titled Cyber resilience of firms in Australia’s financial markets: 2020–21, is an update to a similar cyber resilience report published by ASIC two years ago.In both 2020 and 2021, ASIC asked participants to reassess their cyber resilience against the National Institute of Standards in Technology (NIST) Cybersecurity Framework. The NIST Framework allows firms to assess cyber resilience against five functions: Identify, protect, detect, respond, and recover, using a maturity scale of where they are now and where they intend to be in 12-18 months.In the new report, ASIC identified that cyber resiliency among firms operating within Australia’s financial market increased by 1.4% overall, but this fell short of the 14.9% improvement targeted for the period. It was also lower than the 15% improvement that was achieved between 2017 and 2019. ASIC attributed the shortfall to a combination of reasons including overly ambitious targets, a rise in the cyber threat environment, and disruptions caused by the COVID-19 pandemic, which resulted in organisations directing resources towards enabling secure remote working and ensuring products and services could be delivered to customers as supply chains were burdened with growing cyber activists. Improvement in cyber resilience preparedness between cycles (by function).
Image: ASIC
Overall, 2021 saw improvements in the management of digital assets, business environment, staff awareness and training, and protective security controls.”Firms operating in Australia’s markets continue to be resilient against a rapidly changing cyber threat environment. The COVID-19 pandemic has increased opportunities for threat actors to target remote workers, and access remote infrastructure and supply chains critical to the delivery of products and services. However, the response from firms has been robust,” ASIC commissioner Cathie Armour said.

The report said 90% of firms strengthened user and privileged access management, 88% of firms ensured users were trained and aware of cyber risks, and 86% had mature cyber incident response plans in place. Other key findings from the report included the gap between large firms and small to medium-sized enterprises (SMEs) continued to close, with an overall improvement of 3.5%. In contrast, larger firms reported a slight drop in confidence of 2.2%, ASIC said.”This comes off a strong base and can be attributed to large firms reassessing their response and recovery capabilities in light of: Increased complexity of their business operating models [and] a significant increase in threats to critical products and services reliant on third parties and supply chains,” the corporate regulator said. ASIC also highlighted the greatest gaps between larger firms and SMEs continued to be in supply chain risk management where 40% of SMEs indicated weak supply chain risk management practices, but a majority of firms identified that this would be an ongoing priority over the next period. Investment in cyber resiliency by credit rating agencies increased during the period, ASIC said, triggered by the 2017 Equifax incident, while investment banks continued to set high targets for all NIST Framework categories.The release of the reports follows ASIC recently putting forward a recommendation for market operators and participants to simulate outages and recovery strategies to improve resiliency. It was off the back of an investigation into the Australian Securities Exchange (ASX) software issues that arose when the refresh of its trade equity platform went live in November last year, causing the exchange to pause trade.MORE FROM ASIC More