Australian Cyber Crime Monthly Report: January 2024

Welcome to Cyber Daily’s third Australian Cyber Crime Monthly Report – a collection of incidents, hacks, and more collated from a combination of open-source intelligence feeds and our own observation of incidents and dark net posts.

The information presented here is as accurate as Cyber Daily can confirm, though it must be said that you cannot always rely upon the word of criminals, and navigating the darknet can lead to a lot of dead-ends. This data is presented as a broad snapshot and should not be acted upon in isolation. We also understand that there are likely many incidents that go unreported by either victim or threat actors. Many hacking groups are just as concerned with branding and PR as any main street company, and so some groups may be more heavily represented than others purely because they are louder.

The Australian Cyber Crime Monthly Report is an ongoing work in progress, work we are hoping to refine and improve as we continue.

You can read the December 2023 report here.

Ransomware

Operators: Qilin, 8Base, Trigona
Companies targeted: Four
Total data allegedly impacted: At least 57 gigabytes

After a hectic December that saw LockBit hit three Australian companies, this month, the ransomware-as-a-service operator has been busy elsewhere. In fact, that seems to be the case across the board, with just four observed ransomware incidents this month.

8Base was the most prolific actor on Australian networks this month, claiming two hacks. It posted 16 gigabytes of data belonging to an importer and distributor of global cycling brands, while it is also threatening to publish data belonging to a manufacturer of mining equipment parts.

VIEW ALL

The gang has been busy globally, as well, ranking second behind LockBit when it comes to overall victims for January, but it’s a rather laid-back operation when it comes to its leak site. No matter the victim, 8Base always claims to have the same data:

• Invoice
• Receipts
• Accounting documents
• Personal data
• Certificates
• Employment contracts
• A huge amount of confidential information
• Confidentiality agreements
• Personal files
• Other

No matter who the victim is, that’s the boilerplate copy that 8Base shares under each leak, regardless of what actually is in that leak. That said, its leaks do usually contain a lot of that, so maybe the gang’s web team is just working smarter, not harder.

The Qilin gang exfiltrated and published over 37 gigabytes of data from sheet music company Hal Leonard Australia, which included employee contact lists, details of third-party contracts and payments, debt notices and more. It’s the kind of stuff that some nuisance could be made of – we’d recommend the company’s employees keep an eye on HaveIBeenPwned, for instance – but recent research from the UK suggests that data leaked in this way is rarely used as maliciously as many people think.

It’s the threat of publication that makes ransomware tick, not the sharing of actual data, according to the Royal United Services Institute.

The Trigona gang was also active, sharing proof-of-hack data belonging to a Victorian car dealership. This one’s a little trickier, and we’re looking closely, as the evidence so far suggests the hackers have access to scans of valid passports and driver’s licenses belonging to foreign nationals the company employs. That is very much the kind of data that can cause more than a little nuisance, and companies that hold that data really need to do better securing it.

There's also a new development in the Eagers Automotive incident from last month – which caused the company to halt trading. LockBit has now posted a new ransom deadline - a clear attempt to strongarm the victim. Bully tactics, really.

But other than that, it’s been one of the quietest months for ransomware in a while. It won’t last.

Data breaches

Claimed: 12
Apparently legitimate: About six

Another busy month for Australian data being sold on hacking forums, and another month where not every breach is as dire – or even real – as it seems.

Mining hardware manufacturer Keech fell foul of a hacking collective called the StarsX Team, but that Telegram post was removed. However, a member of an English-language hacking forum got the data and shared the 125-megabyte file on a hosting service. It’s a SQL database, but not a large one, and it appears to be a selection of spam emails caught by some sandbox security environment. It is not the most actionable data, and it was being given away for free – which tells you how useful the data is.

A Victorian cab service had a detailed list of trip details shared by another Telegram-based collective, this time, one called Russian Army Cyber Team. There were a number of other minor breaches, each only containing a few hundred or few thousand lines of data, and in many cases, on Russian-language forums that are very particular about who they let in – and it’s certainly not anyone from our IP address.

Another hacker made the alarming claim that it had managed to obtain credit card details from an Australian corporate finance outfit, but the company, Cape, appears on top of the situation – it was aware of a December incident, is investigating it, and is certain the post is making claims it cannot back up, as it does not keep credit card details on internal records.

Probably the most interesting incident occurred on Australia Day, when an individual calling themselves Jasperoliverx posted on a popular hacking forum that he had the details of a whopping 25 million Australians for sale.

“Australia Consumer Optimised 25 Million Leads,” the post said. And from what we can see, the list – which includes emails and addresses – appears to be legit. There’s even a small sample to prove the data is real, but almost every email address in that list has been shared online multiple times as part of multiple breaches and datasets.

We’ll be looking into that in more detail in a future article, as it’s a fascinating example of how these “optimised” lists get built and reshared.

More recently, it appears that Football Australia was a little lax with its AWS set-up and left a lot of keys accidentally exposed online, giving anyone with them access to 127 AWS buckets, or digital storage containers.

That is a LOT of data to accidentally expose, including player contracts.

“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” said researchers at CyberNews, who first revealed the incident.

Football Australia has yet to make a statement.

Defacements

Number of sites allegedly defaced: three

Defacements dropped off drastically after a December high of 14 incidents. Once again, most were politically motivated by supporters of Hamas, so we imagine as that conflict goes on, many groups are going to lose steam and look for other targets.

However, one incident of note appears to have entirely disrupted the website of iEnergy Australia, which is a software developer within the electricity industry. Team 1722 replaced iEnergy’s landing page with a graphic that basically amounted to “WE WERE HERE” for weeks following the initial hack, and even now, the website is returning a 503 error.

Such attacks are often nuisances at best, but this one seems downright devastating.

Other incidents

We saw a handful of largely inconsequential distributed denial-of-service (DDoS) attacks, including one against the Australian embassy in Israel, but – again – any disruption caused was brief at most, despite the crowing of the largely pro-Hamas hackers responsible.

A group calling itself the NIXON CYBER TEAM – which appears to be linked to old friends Anonymous Bangladesh – had a particular bone to pick with the Indian Support Centre, which is targeted with both a DDoS and a defacement attack. Neither has had any last effect on the site, however.

More worrying this month is the sheer number of brokers auctioning remote desktop access to Australian companies.

Ten different organisations were listed, mostly on Russian-language forums, and never by name. They’re listed with cryptic notations such as “Industry: Freight & Logistics”, with company information taken from corporate listings. They include the company’s revenue, the number of network users, level of access for sale, and even what security measures may be running on the target network.

So that’s 10 unidentified companies that could well find themselves on the wrong end of some form of malicious cyber activity.

One other broker was selling access to an unnamed online retailer’s WordPress back end, with possible access to credit card information.

The round-up

We wondered last month if January would see the same month-on-month increase that we saw from November to December, and the answer is no. In January, we observed 34 instances of, or claims of, hacking Australian entities, compared to December’s 46. Ransomware dropped off drastically in the country, following the global downward trend of unique incidents.

Once again, the sheer breadth of victims shows that hackers will take any target of opportunity that presents itself. These groups use legitimate networking tools to scan for instances of vulnerable infrastructure and will pounce when they say weakness. Politics is still driving a lot of activity, but it’s definitely been a quieter month.

See you again at the end of the month. If you’ve suffered a ransomware attack, or any other form of cyber attack, please feel free to tell us your story – email [email protected] if you think there’s something we should be writing about.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.