Australian Cyber Crime Monthly Report: February 2024

Welcome to another Australian Cyber Crime Monthly Report – a record of all the observed and attributable cyber incidents we’ve been tracking for the last few weeks.

The information presented here is as accurate as Cyber Daily can confirm. It’s often based on the reporting from the criminal element itself, but wherever possible, we make an effort to confirm that what we see on our threat feeds has actually happened and actually impacts an Australian organisation.

We could not do this without the hard work of the analysts and researchers who compile our threat feeds, but it must be said that we do spot some false positives slipping through. Sometimes, it’s the threat actors themselves not realising where their data comes from; other times, it’s just a simple case of mistaken identity. In one case, a US organisation was mistaken for an Australian one in a data breach report, but upon examination, we were able to confirm no Australians had been impacted.

This data is presented as a broad snapshot, and should not be acted upon in isolation. We also understand that there are likely many incidents that go unreported, by either the victim or threat actor.

The Australian Cyber Crime Monthly Report is a work in progress, work we are hoping to refine and improve as we continue.

You can read the January 2024 report here.

Ransomware

Operators: Medusa, Hunters International, Black Basta, ThreeAM, LockBit
Companies targeted: Five
Total data allegedly impacted: At least 395 gigabytes

VIEW ALL

With LockBit being taken down earlier this month, we did not expect to see the gang turning its attention our way, even after it seemingly got itself back up and running. But at the very last minute, the gang proved us wrong.

On 29 February, LockBit claimed it had data belonging to retail software vendor GaP Solutions. The gang has not provided any proof-of-hack data, nor has it said how much data it has. We’ve heard some analysts suggest that the victims being posted to LockBit’s leak site right now are all old hat – that they’re ransomware attacks carried out before LockBit’s takedown. They’re being published now to give the impression the gang is still in business and to make at least some money for past efforts. The deadline for GaP to pay up is around 20 May, so that’s one to keep an eye on.

GaP is aware of the attack and has said that no customer data was affected.

Organic healthcare brand Kadac Australia fell victim to the Medusa ransomware gang on 12 February. The gang is now offering the data for sale and has posted some proof-of-hack documents, mostly purchase orders and details of stock levels, with various customers and distributors. One sample document was a list of employees, along with their super fund details. Not ideal.

Interestingly, Medusa hasn’t simply posted the data and been done with it, which is its normal modus operandi. The ransom deadline has passed (the gang was asking a very low US$100,000 not to publish the data), but now the group seems to be trying to sell it to anyone interested.

The Hunters International group listed mining equipment manufacturer Finlay Screening & Crushing Systems as a victim on its rather detailed leak site on 20 February. It has not shared a ransom deadline nor posted any other details of the hack, however. Finlay has not responded to Cyber Daily’s request for comment, so this will be one to watch to see if Hunters pulls the trigger and publishes.

Data management firm ZircoDATA has had a very bad time with the Black Basta ransomware gang this month. The hackers claimed to have 395 gigabytes of ZircoDATA data (the only gang this month to share the amount of data it exfiltrated) on 22 February, and shared a lot of passport scans to prove its point. ZircoDATA is investigating the incident, we’ve been told, but this one looks very messy, as there are a lot of passports belonging to foreign nationals in the leak – ones that do not appear to be ZircoDATA employees.

The ThreeAM gang – a smaller operation we’ve not seen much of locally – added Preston General Engineering to its leak site. Preston is a division of metal fabricator Abcor, and ThreeAM is in the process of slowly releasing the stolen data. Mostly internal documents so far, including some HR forms, but it’s only 15 per cent of the total data set that ThreeAM claims to have. No doubt the gang is trying to put the pressure on.

But just five ransomware attacks this month, which is certainly a change from the high tempo of late last year. There were over 20 ransomware attacks on Australian organisations in the last two months of 2023 alone.

Data breaches

Claimed: Nine
Apparently legitimate: Five

It was a slower month for leaks and breaches, too, with only five legitimate posts on various hacking forums offering up Australian data for sale.

Many of them were on the smaller side, thankfully, while others were on Russian-language forums that we simply don’t have visibility into. The majority of the leaks involved 1,000 people or less, while one was a leak of data belonging to a single sole trader in Queensland. Bad for that one guy, sure, but hardly headline news.

But there was one big data breach. A hacker by the name of zxcv16 shared the details of what they claimed was more than 650,000 customers of Aussie Vapes – an Australian store that sells, you guessed it, vapes.

The data certainly seemed legitimate, but close examination showed that of the 10 lines of sample data shared by the hacker, all the victims had previously been included in last year’s Dymocks breach. So, real breach or opportunism – you be the judge.

There were also a few hackers attempting to sell data that was either well out of date or from previously reported breaches. These data sets often do the rounds, surfacing, getting bought, and then circulating at a cheaper price point or even for free months or even years after the fact. Even in the world of illicit data sales, the buyer really does need to beware.

Defacements

Number of sites defaced: One

Website defacements continued to drop drastically this month, with only one Australian site earning the ire of a hacktivist group – and it’s always hacktivists that get into site takeovers.

That said, the one defacement this month appears to have knocked the website of furniture retailer Lava Deals entirely offline. It occurred on 8 February, and at the time, the site was hosting the logo of the hacking group – Ethersec Team Cyber – alongside some very MySpace-era animated gifs and anti-Israel messaging.

Now, however, the site and all related pages seem down entirely. We’ve seen a couple of websites severely impacted by defacement attacks in the last couple of months, and with fighting still raging in the Gaza Strip, these pro-Palestinian attacks will likely continue, even if they are slowing down overall.

Other incidents

We didn’t see any distributed denial-of-service (DDoS) strikes against Australian targets this month, which is a welcome change, but rather, more unwelcome is the sheer number of people selling access in some form or another to Australian networks and websites.

Cyber Daily observed 11 distinct offers of access to Australian companies: remote desktop access, access to WordPress back ends, and even access to a Synology NAS in one instance. Almost all of these for-sale posts are on Russian-language forums, which are very careful who they let sign up – they certainly don’t seem to want an Australian cyber security journalist to sign up.

The companies are never named outright. They’re usually listed as something like “Australian software company”, sometimes alongside data including annual turnover, what antivirus protection might be present, and how many machines might be on a given network. They’re often auctioned, though, in most cases, a “blitz” price is also offered, allowing someone with deep enough pockets to buy the access outright.

In one instance, a hacker by the name of DreadPirateRobert (good movie reference right there) was offering access to a women’s fashion brand with 156 stores around the country for $5,000.

“AUS Women fashion store with 156 physical store,” the post read, before listing more details of what exactly is on offer:

rev 110M$
Full access to network, 5 servers FTP/RDP, s3 buckets , VPN , more then 500GB Data include sql - contracts - Customers - sales
Sell full access for lockers or Data Dump --> ~5k USD

That last means the seller is offering access for a prospective hacker to either steal data wholesale or deploy a ransomware locker. Interestingly, this particular post was from an English-language clear net forum, which is definitely an exception to the norm.

Regardless, it’s worrying to see so much access to Australian networks being brokered about online.

Most of what we track in this report is based on open-source intelligence and watching the criminals and hackers themselves, but in two cases this month, we were made aware of an incident by the reporting of the company being hacked.

The Australian Human Resources Institute made its customers aware of a possible cyber attack earlier this month.

“In February 2024, an unauthorised person/s accessed the website via AHRI’s website provider and installed a script and malware on the AHRI website, which were active between 1 and 2 February 2024,” AHRI said in an email signed by chief executive Sarah McCann-Bartlett and sent to its customers.

The malware in question prompted visitors to the AHRI website to download a fake browser extension. No hacker or hacking group has taken responsibility for the hack.

In another case, mortgage lender Balmain admitted to falling victim to a cyber attack in late January, which saw some of its services impacted well into February, when it was first reported by The Financial Review. Again, we didn’t have much information on what data, if any, may have been impacted, and none of the usual actors are taking responsibility either.

The round-up

February has been far and away the quietest month since November, with just 29 observed incidents affecting Australian organisations – and even then, some of them were very small beer indeed, affecting just a handful of people.

The disruption of LockBit, however briefly, has no doubt had an impact; with the exception of a lot of brokers actively selling access to Australian victims, it’s been relatively quiet across the board. Some of that may be due to February being the shortest month of the year, but it may also mean pro-Palestinian hacking groups are starting to feel a degree of conflict fatigue.

Again, we think the main takeaway from this month’s activity is that there really is no real perfect target profile when it comes to how hackers target their victims. Hacktivists looking to make a point are largely opportunistic, happily disrupting whatever exposed business they can find. Similarly, there’s no one sector that ransomware operators go after, either – all they care for is finding someone with exposed data to extort.

See you again at the end of next month. If you’ve suffered a ransomware attack, or any other form of cyber attack, please feel free to tell us your story – email [email protected] if you think there’s something we should be writing about.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.