Logistics company Toll Holdings are one of Australia’s corporate champions, with freight, logistics, and business services available across the country. Two independent attacks on Toll networks in 2020 underscore the growing importance of IT security measures, and they act as a cautionary tale to organisations of all sizes. Both of these attacks had a similar focus – phishing and password spray attacks combined with data theft and ransom demands.

The first attack took place in January, with hackers locking Toll’s computer systems and attempting to extort a ransom. After being infiltrated with the ‘Mailto’ ransomware on 31 January, Toll were “unable to do anything” for two weeks according to Toll chairman John Mullen2. While Toll did not disclose the exact attack vector, access was gained through employee contact rather than a direct breach.

According to Mr. Mullen, “It is an element of human behaviour that creates these entry points … people somehow get access to a master password, whether it’s via guile or whether it’s through criminal activity or bribing.” This attack highlights the growing importance of comprehensive and integrated security solutions, the need for staff vetting, training and education, as well as infrastructure and software updates.

In a bad year for the company, a second attack took place in May3. It was a data theft attack involving another ransomware program known as “Nefilim.” While this unrelated hacking attempt was less serious than the first and involved no operational data extraction, its timing has been a disaster for Toll. A number of Toll customers had already signed temporary agreements with rivals following the first attack, with more people jumping ship due to a growing perception that the company was not quick enough to action the learnings from the first attack.

While no operational data was extracted according to Toll, the attacker hacked at least one corporate server and accessed information about past and present Toll employees. Along with personal staff information such as residential addresses and payroll data, commercial agreements were also unlocked by the hackers. One of Australia’s largest companies was compromised twice through soft entry points, with employees and authentication acting as weak links in the security chain.
In a scary echo of the Toll attacks, in early June 2020, drinks company Lion have also had their systems compromised4 as a result of a ransomware attack.

Key Learning
Your people are often the weakest link in the security chain. Up to date training about the types of cyberattack and methods used by criminals is essential for all organisations. Both the Toll incidents and the Lion attack came after senior IT staff had left the respective businesses. Organisations need to ensure cybersecurity IP stays within the business even when key staff depart.

A recent cyberattack on GitHub has helped to further highlight the need for a robust and flexible security stance. GitHub is a large software development platform, hosting and managing thousands of pages of code for developers around the world. From edgy open source projects to business applications and commercial projects, GitHub is responsible for storing much of the world’s computer code.

Despite the obvious technical sophistication of this platform, GitHub experienced the largest Distributed Denial of Service (DDoS) attack ever recorded in 2018. DDoS5 involves a malicious attempt to disrupt a targeted server, service, or network with a flood of unwanted traffic. By simply overwhelming the target or its surrounding infrastructure, you can deny service and bring a network to its knees. The first portion of the GitHub attack6 peaked at 1.35 Tbps, and the second spike was 400 Gbps, making it the biggest DDoS attack easily beating the existing record of 1.1 Tbps.

The attack amplified traffic based on UDP-based memcached traffic, a tool designed to cache data and reduce strain on heavier data stores. While this tool is supposed to work offline due to a lack of authentication measures, there are currently 50,000 known vulnerable systems utilising the tool according to Akamai7.

When a system receives a memcached “get” request, it forms a response by collecting the requested values from memory and then sending them back in an uninterrupted stream. However, this protocol can also be used to launch attacks by implanting a large payload on an exposed memcached server and spoofing the “get” request message with a target’s source IP. When used with malicious intent, a short request to an exposed server can result in a huge amount of traffic and service denial.
Key Learning

The GitHub attack proves that attack vectors can come from anywhere. Isolated approaches to security simply don’t work – a robust security stance is dependent on continual analysis, detailed feedback, and ongoing iteration. More than patching a hole and walking away, security efforts need to focus in on moving targets, identify weak points, and resolve multiple vulnerabilities based on a specific threat and use case scenarios.

One of Australia’s most prestigious educational institutions, the Australian National University (ANU), was involved in a large-scale cyberattack in 2019. This damaging attack came down to a single email, which emphasises the fact that security is only as strong as its weakest link. According to the ANU8, there were up to 15 people involved in the incident.

The attack vector was both simple and complex, with a single email sent to a senior staff member in order to open and map the entire ANU network. The original email was never opened, but damage was still done. This type of attack is known as spearphishing. This particularly sophisticated example works without any form of clicking, downloading, or user interaction. In order to prevent further attacks, the exact mechanisms of the intrusion have not been published by the ANU.

Once the hackers gained access to the senior staff member’s username, password, and calendar, they were able to map the university network and send out a targeted mailout to ten additional people. As more information was gathered, additional emails were sent, and the scope of the breach was broadened. What’s more, the initial attack was only discovered weeks later during a threat hunting exercise. This shows the importance of authentication measures and ongoing security management.

Key Learning
It is vital that security software is kept up to date and all the latest patches applied. Further, Multi-Factor Authentication (MFA) systems add an extra layer of security over and above simple username and password to help subvert spearphishing attacks.

The high-profile intrusions listed above highlight the growing importance of cybersecurity measures, and you need a comprehensive security framework to safeguard your critical and sensitive data and operational resources. If you would like to learn more, please contact Nexon for a free, no-obligation consultation. You can call us on 1300 800 000 or email to start the conversation.