Status: Alert not Alarmed
TL:DR
Implement multi-factor authentication.
Medibank Update
According to the Australian government, Medibank did not have basic security settings active when the Medibank breach took place. They did not have multi-factor authentication in place.
Snowflake and Australia
Ticketmaster and Ticketek that both impacted Australian citizens was a result of the ongoing Snowflake situation. Mandiant and Snowflake have provided comprehensive coverage on the situation.
One good tip is that make sure you have multi-factor authentication active on accounts and also understand your human-digital threat landscape exposure, i.e., what accounts are compromised, what credentials have been leaked?
Infostealers are a menace and will continue to be due to their low-cost and high-returns for cyber criminals.
Tom Morris X Hack.
On 10 June 2024, at around 3am AEST Tom Morris, the head AFL reporter for Channel 9 had their X account hacked. Initially it was pushing a crypto scam, but it then evolved into posting more malicious content and went beyond a generic crypto scam.
It had more of the hallmarks of a malicious act by someone trying to personally target the user instead of a crypto scam. Eventually Tom Morris was ablet to regain his account but it is another good reminder to have multi-factor on all your accounts. Social Media accounts are valuable for threat actors and also to the owners, protecting them with multi-factor can help avoid these situations.
Hacktivist Activity - 8 Victims
May 28 - Australia
Zenimous Crew defaced TAOC, an Australian website.
2 June - Australia
Ethersec Team Cyber defaced elico, an Australian website.
3 June - Australia
Rippersec claimed to breach an operating system of Somerset Australia. (Second time they have posted them)
4 June - Australia
Sulawesi Cyber Team defaced an Australian website.
5 June - Australia
Anonymous Central Russia posted several databases of Australian government and private organizations. Some had been leaked in the past, making it possible it was old collated data.
6 June - Australia
Rippersec tried to DDoS one of the Services Australia’s sub domains.
24 June - Australia
Rippersec defaced an Australian website.
Ransomware - 7 Victims. 6 Australian and 1 New Zealand.
June 24 - Australia
Medusa posted North Coast Petroleum to their leak site.
June 16 - Australia
Hunters International posted Legrand CRM to their leak site.
June 16 - Australia
Medusa posted Victoria Racing Club to their leak site. The full data was posted to Telegram and their leak site on 26 June.
June 6 - Australia
Akira posted Panasonic Australia to their leak site.
June 4 - Australia
BianLian posted Northern Minerals Limited to their leak site (add Tweet with extra details)
June 2 - New Zealand
Lockbit posted Smith & Caughey’s to their leak site.
May 28 - Australia
Akira posted Brett Slater Solicitors to their leak site.
Underground posts/mentions of Note
June 20 - Australia
Aussolarco data was posted to a telegram account for sale. Claimed to be from May 2024 but not evidence was provided.
June 20 - Australia
TEG data was posted for sale, TEG is the parent company of Ticketek. The actor who posted the data was responsible for several other Snowflake related attacks.
June 17 - Australia
Victorian Freight Specialists data was posted online.
June 3 - Australia
A list of email addresses for South Australian education staff and possibly students was shared online.
For regular updates or for more information: https://twitter.com/Cyberknow20