Australia Cyber Update #3
14 August till 02 October 2023
Apologies are required to start this update, we said we would post this fortnightly and we have dropped the ball on that. We will aim to maintain a 2 weeks cadence from here.
This is now an update from 14th August until 2nd October 2023.
If you read anything below that you would like to know more about, please reach out and we will either get you the answers or someone who can provide them. The whole aim of this newsletter is to capture what the cyber threat landscape looks like for Australia - we share a mix of publicly presented information and some insights from underground forums.
Ransomware
11 Different ransomware/extortion gangs and 17 Australian victims in 49 days.
August 14
Medusa ransomware gang posted CB Energy to their leak site.
The group has now posted all the stolen data to their leak site.
August 18
NoEscape ransomware gang posted Contact 121 to their leak site.
Contact 121 is no longer on the NoEscape Leak site, they may have paid to have it removed.
August 18
Play ransomware gang posted DSA Law to their leak site.
Not as high-profile as HWL legal that continues to grab national headlines, but it would still likely contain sensitive data. Law firms will continue to be a popular target due to the customer data they will handle.
August 18
Noescape ransomware gang posted AuDA to their leak site - turned out to be incorrect as we noted from the first time we saw it posted. There were several inaccuracies - see this thread for further information. https://twitter.com/Cyberknow20/status/1692425539808788718
August 22
Lockbit ransomware gang posted APD Parcel Delivery to its leak site
The largest parcel delivery service in South Australia.
August 31
AlphV ransomware gang posted Tisher Liner FC Law to their leak site - as mentioned above, Law firms are and will continue to be a popular target for opportunistic cyber criminals.
September 2
Lockbit posted Seasons Darling Harbour Sydney to their leak site - they have posted all available data.
September 2
AlphV ransomware gang posted Barry plant to their leak site
All data was posted on the same night as the national Barry Plant awards night, very likely it wasn’t intentional, but unfortunate timing.
September 2
AlphV ransomware gang posted Tissupath to their leak site. They have posted all data, medical data remains a highly sensitive and popular data set for cyber criminals to post.
September 2
AlphV ransomware gang posted Strata Plan to their leak site, releasing the entire 1.4 tb of data.
September 5
Cactus ransomware gang posted Mineman Systems to their leak site
September 6
Akira ransomware gang posted Energy One Limited to their leak site ‘news’ section - they have not posted them to their victim list as of time of reporting.
September 6
RansomedVC posted Platinum Hall Management Solutions to their twitter account - notably there are a growing number of threat actors operating directly on Twitter.
September 6
Trigona ransomware gang posted Cazalys Cairns to their leak site. The data has now been sold, unclear if that was back to the victim organization or to someone else.
September 10
Rhysida posted Core Desktop to their leak site, the company provides managed solutions to move customers onto the cloud.
September 12
Cloak ransomware gang posted an unknown Australian company starting with B, who they will reveal in 4 days from time of this report being posted.
September 19
Cactus ransomware gang posts Peacock Bros, the ANZ regions largest provider of data management and printing solutions
This diverse list of threat actors and victims highlights the opportunistic and prolific nature of ransomware and extortion activities and really reiterates that Australian organizations will continue to be of interest.
September 21
Cactus ransomware gang posted DM Civil, one of Australia’s leading civil contracting companies.
Underground posts/mentions of note
September 3
The most notable event that place recently was the posting of Dymocks customers to Breach forums.
This was originally posted with little fan fare until someone confirmed it was Dymocks data. It has been covered in the Australian Media since then - https://www.abc.net.au/news/2023-09-15/dymocks-confirms-1-million-customers-details-leaked/102863820
September 8
A more concerning post on Exploit on 8th September was the sale of access to an Australian organization with a revenue of around $2.4 billion AUD in 2022. This is a large organization and is only a small handful of Australian companies fit the revenue description.
Initial Access Brokers offering network access is not a uniquely Australian challenge and is a growing challenge across the entire threat landscape.
20 September
It was reported that Pizza Hut Australia had suffered a data breach, the news was actual broken by Pizza Hut themselves after a group claiming to be Shiny Hunters and very likely not to be them failed at an extortion attempt.
If you have any additional insights or questions please reach out to: