The Australian Securities and Investment Commission (ASIC) recently suffered a cyber-attack that involved hackers targeting and infiltrating an Accellion server that stored documents associated with recent Australian credit licence applications.
The Australian Securities and Investment Commission (ASIC) said in a recent notification that it came to know about the unauthorised access of the Accellion server on 15th January, but found that information regarding credit licence forms or attachments were not stolen even though some of them may have been viewed by hackers.
“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor. At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded,” ASIC said.
Stating that it has disabled all access to the affected server as a precaution and is making alternative arrangements to submit credit applications, ASIC said its IT team and cyber security advisers are at present undertaking a detailed forensic investigation and working to bring systems back online safely.
The unauthorised access involved hackers compromising a legacy File Transfer Appliance (FTA) software supplied by California-based Accellion which specialises in offering enterprise content firewall solutions to organisations worldwide. ASIC said it used the software to transfer files and attachments and according to Reuters, this is the same software used by the Reserve Bank of New Zealand which suffered a cyber-attack earlier this month.
Earlier this month, Accellion also announced in a press release that it was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software that affected less than 50 customers and that it had released a security patch within 72 hours of being made aware about the flaw.
“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence,” the company said. It is not known whether ASIC had applied the security update before the unauthorised intrusion took place.
According to Accellion, its enterprise mobile solutions, including the flagship kiteworks mobile file sharing and collaboration solution, are used by government agencies worldwide which include the US Securities and Exchange Commission, NASA, the NHS, London Fire Brigade, London Borough of Camden, City of Toronto, County of Sacramento, Government of South Australia ICT, and the California Office of Statewide Health Planning & Development.
The cyber-attack on ASIC took place not long after Australian Prime Minister Scott Morrison announced that “a sophisticated state-based cyber actor” was targeting a large number of Australian organisations, be it essential service providers, political organisations, or operators of other critical infrastructure.
According to the Australian Cyber Security Centre, the state-sponsored cyber actor behind the ongoing cyber-attacks has been leveraging public exploit proof-of-concepts to target networks of interest and is also exploiting public-facing infrastructure through the use of remote code execution vulnerability in unpatched versions of Telerik UI.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations,” ACSC added.
Commenting on the unauthorised intrusion suffered by ASIC, Niamh Muldoon, Global data protection officer at OneLogin, said that the breach highlights the importance of having an appropriate access control mechanism in place for all data and associated data files.
“An appropriate access control mechanism should protect data and data files from unauthorised access and ensure authorised access is specific to the individual’s role based on the least privileged model. Moreover, all actions to the data files should be accounted for with monitoring and alerting applied to high-risk action execution,” Muldoon added.
Javvad Malik, security awareness advocate at KnowBe4, said the breach is a good reminder that all organisations need to have good monitoring and threat detection controls in place so that any intrusion can be quickly detected and responded to.
“Having strong security controls is not optional for any organisation, regardless of size, vertical, or type of data. If any system is accessible, it will be targeted. Therefore, it’s important that cybersecurity is embedded within the culture of an organisation through all systems, processes, and employees,” he added.