MEDIA RELEASE - NZITF | Bad actors trying to capitalise on CrowdStrike outage

Scammers and other bad actors are often on the lookout for new lures to improve the effectiveness of their campaigns. The global outage from the CrowdStrike bug is no different: although widespread campaigns are not yet being seen in the wake of the outage, numerous website domains are being registered to look similar to CrowdStrike.

It's important to remember the basic guidance that many of us have heard before:

  • always check if a communication (email/txt or call) is from a legitimate source. If you’re not sure, reach out through a different communication method (for example looking up the phone number on the official website)

  • IT experts are working hard to apply the fix for this issue. They will be using formal channels to communicate directly with Crowdstrike.

  • Follow the instructions of your trusted IT support person, it is fine to check they are legit before having discussions with them.

This isn’t an issue for the general public to worry about resolving, so any emails received by regular citizens claiming to be from or about CrowdStrike should be treated with caution.

For the general public, instead seek updates from the source of truth for example publicly announced updates from companies on their official websites and verified social media. Do not rely on updates pushed to you as these could be scams.

ACSC has a simple advisory for the Australian business and public: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/widespread-outages-relating-crowdstrike-software-update

Otherwise, IT specialists have access to lists of domains that are able to be blocked - which can be an on-going whack-a-mole task. Crowdstrike have published a number of domains on their blog:

https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/

Or for technical specialists:

https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOCɮCSVs/Crowdstrike%20M DE%20IOC%20-%20Impersonation%20of%20crowdstrike%20over%20global%20outages.csv

ENDS

The New Zealand Internet Task Force (NZITF) is a non-profit organisation with the mission of improving the cyber security posture of New Zealand. Our members are IT security professionals who work together through trusted forums to make the Internet safer for all New Zealanders.

Please send NZITF Media Requests to media@nzitf.org.nz. A PDF version of this post is available here.

MEDIA RELEASE - NZITF | CrowdStrike outage shows New Zealand's critical technology dependencies

CrowdStrike outage shows New Zealand's critical technology dependencies  

The New Zealand Internet Task Force is tonight reminding people that the basics are what keep our online lives safe after the wide scale CrowdStrike outage has impacted services nationally and internationally.

“While there is no indication that there is anything malicious behind the outages that kiwis are experiencing to services tonight, it’s a solid reminder that our lives are firmly intertwined with online services” says Tandi McCarthy, New Zealand Internet Task Force spokesperson.

The outage is the result of an update to CrowdStrike Falcon, security software that protects systems from viruses and other threats. Affected organisations and their IT specialists should make sure that they are connected with Crowdstrike through the formal support channels to receive the correct fix and guidance.

“It’s scary how business as usual changes can take whole systems offline. We are seeing the wide scale and potentially physically harmful effects that a big outage can have. Our peers in Australia and further afield are seeing outages impact healthcare and transport, among other industries.

“There is a fix in place from CrowdStrike, but  it’ll take time for organisations to work through and implement it and this will be different for every organisation. People are going to be working really hard, and likely throughout the night and weekend, to get this sorted.”

Incidents like this are a reminder that organisations should understand and document their dependencies on systems and how to get help when something goes wrong. 

ENDS

The New Zealand Internet Task Force (NZITF) is a non-profit organisation with the mission of improving the cyber security posture of New Zealand. Our members are IT security professionals who work together through trusted forums to make the Internet safer for all New Zealanders.

Please send NZITF Media Requests to media@nzitf.org.nz. PDF version available here.


Cyber hygiene more important than ever - NZITF

Media release - 31 August 2020

With the COVID-19 pandemic irrevocably changing people’s work environments, the New Zealand Internet Task Force (NZITF) is reminding businesses to double-check that IT and remote working systems are safe from outside interference.

Cyber criminals are known for exploiting online trends to compromise networks. The shift to working from home brought about by COVID-19 is an example of a trend coming at a time when businesses may have taken their eye off the cyber-defence ball due to the pandemic.

NZITF spokesperson Barry Brailey says many firms had to rush to set up remote working before the nationwide March & April lockdown. While remote work has many benefits, it presents information security challenges such as having to access and send data over public internet connections.

"It's likely that, for some businesses, not as much attention was paid to cyber security. Now is the time to check your remote working security set-ups - especially if they hadn't been in place before March and were only engineered as a temporary solution.

"Make sure you have strong passwords for staff to access devices. Use a VPN to connect staff to your internal network. Protect your VPN connection and access to other services and applications with multifactor authentication (MFA). Keep company data on company devices. Formalise working from home and remote work policies and solutions, if you haven't already," he says.  

Barry recommends that New Zealand businesses familiarise themselves with CERT NZ's top 10 list of cyber security controls. These can be found here and include patching software, using MFA, disabling unused services, backing up data, running only approved applications, and logging network activity. Now is a really good time to just make sure you are doing the cyber security basics. CERT NZ’s list is a great place to start.   

NZITF Chair Terry MacDonald says most individual NZITF members and several corporate members played a key behind-the-scenes role as essential workers during lockdown earlier this year and more recently with Auckland at Level 3.  

"We're proud that our membership rose to the challenge of keeping our telecommunications, internet and other necessary information technology services running, for the wider benefit of New Zealand.

"The pandemic will end eventually and the NZITF and information security community will be able to come together in person again. But until then, we want to express our gratitude to the membership virtually," he says.

For more information contact:

Barry Brailey
Spokesperson, NZITF
barry.brailey[at]nzitf.org.nz

CamboNZ1 .
NZITF signs on as Cyber Smart supporting partner

Expect to hear a lot more about cyber security next week. National Cyber Smart Week runs between 14 - 18 October and for the third consecutive year NZITF has signed on as an official supporting partner. 

Cyber Smart Week is organised and run by the government’s computer emergency response team CERT NZ. The week of activity is designed to raise awareness about the ways that people and businesses can protect themselves online.

This year, New Zealanders are being encouraged to take control of their online identity by using a password manager, turning on two-factor authentication, updating their devices, checking their devices and reporting any online security incidents.

NZITF Chair Terry MacDonald says Cyber Smart Week is important in helping lift the public's understanding of the impacts and implications of cyber security breaches.

Knowing how to stay secure online is more important than ever in today's all-digital era where sensitive and personally identifiable information is available online across multiple devices, he says.  

“But the good news is that the more difficult it is to access information about you, the less likely it is that a cyber-attack will affect you. 

"Messaging for Cyber Smart Week revolves around several strong preventative calls to action. NZITF encourages all New Zealanders to check out CERT NZ's tips here and take the time to set up a password manager, turn on two-factor authentication, update their devices' security software and review their online privacy settings.”   

Find out more about how to protect yourself online this Cyber Smart Week at:
https://www.cert.govt.nz/cybersmart

Terry MacDonald
New Zealand Internet Task Force inducted into iSANZ Hall of Fame

The New Zealand Internet Task Force (NZITF) is pleased to announce that it has been named and acknowledged as the iSANZ Hall of Fame inductee for 2018.

This special, nominated honour is bestowed annually at the iSANZ Information Security Awards. It recognises a person, event or company who has made a significant contribution to the wider information security community.

On hand last week to receive the Hall of Fame Award were NZITF Chair Barry Brailey and past Task Force Chairs Mike Seddon and Paul McKitrick.

Brailey says NZITF and its members are honoured to be recognised with the Hall of Fame Award. The accolade reflects 10 years of hard work by Task Force members in improving the cyber security posture of New Zealand.

Since its inception, the Task Force has grown to include approximately 370 members – including individuals with operational roles in cybersecurity from the government agencies, law enforcement, corporate enterprise, banking, telecommunications and internet providers, and academia.

NZITF’s membership-based structure, where dialogue and collaborative efforts are undertaken in a trusted, confidential fashion, is key to its success, says Brailey.

“The individuals and organisations involved in the NZITF contribute immensely to the safety and security of New Zealanders online, and it’s a pleasure to see their commitment and dedication recognised at the national level. ”

Commenting on NZITF’s inclusion into the Hall of Fame, the iSANZ Board noted that NZITF has made substantial contributions to cybersecurity training, outreach and information sharing - including consulting with Government on cyber security, running public response activities and developing coordinated disclosure guidelines that have now been adopted by many major enterprises and government agencies.

Previous iSANZ Hall of Fame inductees include University of Auckland computer security researcher Dr Peter Gutmann, non-profit online safety organisation NetSafe and cybersecurity networking body the 1st Tuesday Forum.

Terry MacDonald
NZITF backs Cyber Smart Week awareness campaign

For the second year running, the New Zealand Internet Task Force (NZITF) is lending its support as an official supporting partner of Cyber Smart Week.

Cyber Smart Week is organised and run by the government’s computer emergency response team CERT NZ. This year, the campaign runs between 8 - 12 October.

NZITF Chair Barry Brailey says most people use the Internet on a daily basis, connecting through smartphones, tablets, laptops and desktop computers. Most consider the Internet a safe environment, but it’s only as safe as you make it.

“Cyber security is a complex, multifaceted and always-changing area. Cyberattacks, hacks and security breaches happen regularly and are no longer an exception.” User behaviour matters, he says.

“It’s not always easy communicating how people can stay safe and secure online. CERT NZ has done an excellent job of reducing the complexity of cyber security into clear and easy-to-explain messages, visual aids and calls to action.”

Among the week’s campaign tips are to create unique passwords for your online accounts, add two-factor authentication to your logins, update your apps, and check how much of your online self you’re sharing (and who with).

NZITF is right behind Cyber Smart Week. It has an important role to play in raising broader public awareness of cyber security, and changing attitudes and online safety / security behaviours.

Find out more about how to protect yourself online this Cyber Smart Week at:
https://www.cert.govt.nz/cybersmart

Terry MacDonald
NZITF supports CERT NZ’s business website campaign

NZITF has lent its support to CERT NZ's latest awareness campaign - being run this week between 30 July and 3 August.

The campaign - called 'Get Cyber Smart' - focuses on business websites. NZITF is one of over 30 supporting partners.

NZITF Chair Barry Brailey says websites are a digital shop window and important customer channel for most businesses. Unfortunately, they're also a target for hackers.

"Poor or non-existent website security threatens your accessibility, brand and reputation. You're not too small to be noticed by hackers and your website is not invulnerable."

It's important as a business owner to take preventative action, he says.

"We encourage all businesses to step up their website security by following CERT NZ's advice and guidance. This includes creating a security plan, using https, running regular backups, managing your passwords carefully and keeping all computers and mobile devices free from malware."

CERT NZ's tips, guides and advice for business websites can be found at cert.govt.nz and twitter.com/certnz.

Terry MacDonald
Cyber Smart Week 2017 begins

This week is National Cyber Smart Week. Organised by CERT NZ and Connect Smart, the New Zealand Internet Task Force is proud to be one of the week's official supporting partners.

Cyber Smart Week aims to help people and businesses improve their cyber security. During the week, a variety of messages will feature about four simple steps you can take to give you instantly better online protection - at home and work.

The four steps being promoted during Cyber Smart Week are:

Change your password - Make your passwords long and strong, and have a unique password for each of your online accounts.

Set two forms of identification - Two-factor authentication is like having a second lock for your front door. It's often a password and something else - for example, a code.

Check your privacy settings - Set your privacy settings so only friends and family can see what you post on social media.

Update your operating system - Keeping your OS up-to-date is a really good way to defend against bugs and viruses.

Doing one of these things will help keep your data safe. Doing more than one will help even more.

For more information about Cyber Smart Week, visit cert.govt.nz/cybersmart

Terry MacDonald
NZITF partners with Cyber Smart Week 2017

The New Zealand Internet Task Force (NZITF) has signed up as an official partner of Cyber Smart Week - a nationwide cyber security awareness campaign being run during the last week of November.

Cyber Smart Week has been organised by New Zealand Government agencies CERT NZ and Connect Smart and will run from Monday 27 November to Friday 1 December 2017.

The theme of the week is ‘Just do one thing’. Cyber Smart Week revolves around four easy steps that anyone can follow that are quick, simple, and will improve online safety for individuals, business - their staff and customers:

  • Use different passwords for different accounts

  • Turn on two-factor authentication

  • Make sure operating systems are up-to-date

  • Check your privacy settings so you know who can see what

The Cyber Smart Week website can be found at cert.govt.nz/cybersmart. It has a range of useful cyber awareness advice, and campaign material for businesses and organisations wanting to get involved in Cyber Smart Week.

NZITF Chair Barry Brailey says NZITF is pleased to be supporting Cyber Smart Week.

“Cyber security is a shared responsibility, and awareness campaigns like Cyber Smart Week help increase people’s understanding of cyber threats and empower New Zealanders to be safer and more secure online.”

Terry MacDonald
Ransomware events a reminder to get serious about security

In recent months, two headline-grabbing cyber attacks targeting enterprise and corporate networks radiated quickly across the globe. NZITF wants to take this opportunity to remind New Zealand businesses to practice good cyber security to reduce the risk of being compromised.

In May, a large coordinated attack called WannaCry spread to over 150 countries. Over 300,000 computers were infected. In late-June, an attack known as Petya (a.k.a. NotPetya or GoldenEye) was unleashed with similar global ripple effects.

WannaCry and Petya / NotPetya expose vulnerabilities in Windows-based computer systems in what is known as a ransomware attack. Ransomware is a form of malicious software that infects a computer, encrypts the data that the computer has access to and restricts access to it until a ransom is paid to unlock it.

WannaCry affected many organisations including UK’s National Health Service, Spain’s Telefonia, FedEx and Deutsche Bahn, alongside countless smaller organisations in many other countries. New Zealand was comparatively unaffected, with only a small number of WannaCry infections reported.

Petya / NotPetya also largely missed New Zealand. However, several organisations with international links or the local arms of such companies did take precautions. These included Maersk shipping in New Zealand and Ports of Auckland.

While theories swirl regarding the motivation and attribution for WannaCry and Petya / NotPetya, it illustrated a potential lack of preparation on the part of several large corporates.

Ransomware is nothing new, but in the last three years ransomware attacks have grown in number and sophistication. As part of the global internet community New Zealand companies and internet users have not been immune.

While there is more yet to learn about the architecture and mechanics of WannaCry and Petya / NotPetya, there are some simple practical actions you should take to lessen your chances of being affected.

Take care with your email

Ransomware Infections often spread through email so the most important thing you can do is take care with your email. Don’t open unexpected attachments or click on links in suspicious emails.

Install the latest patches & security updates

Unpatched computers are more likely to be infected, so you should install all patches and updates Microsoft has released to block WannaCry and Petya / NotPetya ransomware. If you’re running the latest version of Windows, this will happen automatically – provided you have automatic updates turned on.

Backup your data regularly

You should regularly backup your data and make sure you have offline backups. That way, if you are infected with ransomware, it can’t encrypt your backups.

What do you do if you get infected?

If you are infected you should resist the temptation to pay the ransom. People undertaking ransomware attacks are invariably linked to criminal networks. By paying you are funding organised crime and encourage further ransomware attacks. Instead, you should seek help from CERT NZ and/or a reputable cybersecurity firm.

Finally, it’s important to know that ransomware is just one part of the cyber attack threat environment. Cyber attack takes many forms – from viruses and worms, to denial-of-service and phishing; from social engineering to invoice fraud.

The message from WannaCry and Petya / NotPetya is clear. All organisations are in the firing line and New Zealand must remain vigilant. Safe and hygienic cybersecurity is more important than ever – it can make all the difference.

Terry MacDonald
NZITF welcomes launch of CERT NZ

The New Zealand Internet Task Force (NZITF) welcomes the Government’s launch of a dedicated Computer Emergency Response Team (CERT) for New Zealand.

Newly-established CERT NZ opened its doors in early April. Its role includes incident response and triage, situational awareness, advice and outreach, international collaboration with other CERTS, and co-ordination of serious cyber incidents.

NZITF Chair Barry Brailey says CERT NZ has been a long time coming and will fulfill an important function in providing up-to-date information and advice to New Zealanders with cybersecurity concerns. Its focus is complementary to NZITF’s own, related mission to improve the cybersecurity posture of New Zealand.

“We look forward to enjoying a collaborative and cooperative working relationship with the team at CERT NZ. Our trusted community of InfoSec specialists from government, law enforcement, academia, IT and private sector industries stand ready to help CERT NZ achieve its goals.

“Unity of effort is important in an area as fast changing as cybersecurity. In the coming months we’ll be looking at how best we can help CERT NZ. Ultimately, the more collaborations there are, the better the outcomes for the thousands of individuals and businesses across New Zealand who live, work and play online.”

For the past several years, NZITF has been running a Coordinated Disclosure system. With Coordinated Disclosure, anybody who finds a vulnerability in a website or ICT system can report it to disclosure@nzitf.org.nz. This arrangement for continue for now, while CERT NZ establishes itself.

More information about NZITF’s Coordinated Disclosure system can be found at:
http://nzitf.org.nz/coordinated-disclosure/

Terry MacDonald
Email invoice fraud proves persistent

Email invoice fraud continues to be a problem affecting small and medium business in New Zealand. But there are some simple, practical actions you can take to reduce your risk.

This type of fraud happens via hacked email accounts, which are used to resend duplicate invoices that look just like the real thing. It works like this:

Hackers access a business’s Sent mail to find a recent customer invoice. They copy the invoice, but alter the payment bank account number. They then email the customer with the modified invoice and ask the customer to instead pay into the new, fraudulent account number. They may offer a dubious reason for the new payment bank account number, such as the original account is being “audited”.

Xero’s Head of Security, Paul Macpherson, says a number of businesses fell victim to this scam last year. Unfortunately, cases are still being reported.

“What we've had reported is mostly targeting the building industry. It's small numbers, but seems to be slowly increasing. We're getting about one report a week. Being the building industry, some of the invoices are for quite large amounts.”

Email invoice fraud is all the more insidious because it has two victims - the business whose email account is hacked, and the customer of the hacked business who receives and pays the fake invoice.

Macpherson says it’s important that all businesses involved in sending and / or paying invoices are hygienic with their accounting and do everything they can to secure their email accounts. The following preventative actions will help mitigate the threat.

Implement bulletproof accounting practices

Be scrupulous in verifying and paying invoices. This involves implementing clearly defined accounting practices.

Scrutinise and match suspicious bank account numbers against existing numbers in your accounting system. ‘Red flag’ and follow up any discrepancies. Treat the arrival of unexpected invoices with the utmost caution.

Verify over the phone any new payee information that you’ve been emailed - both when loading new payees and when making changes to existing payee information.

Educate & communicate

Make your staff aware of the issue. Look out for emails that ask for payment with new bank details. The best thing to do if this happens is pick up the phone to check the authenticity of the invoice you’ve received.

You may want to consider enforcing a policy that any change of bank account number on an invoice is validated through a non-email channel and by at least two of your supplier’s contacts.

Secure your email account

Make sure the latest antivirus and security updates are installed on any computer or device you use to deal with invoices. Having a long, strong email password is also vital.

Use an extra layer of security

If your email provider offers two-factor (2FA) or multi-factor (MFA) authentication, you should use it. 2FA/MFA provides another layer of security to prevent hacking. It significantly reduces the risk of your email being maliciously accessed and used to commit invoice fraud.

Quickly report if you’re affected

If you or one of your customers has paid into a fraudulent bank account, don’t panic. It’s important to contact the banks involved right away, making sure the issue is escalated to their fraud teams. Also advise the Police.

Your customer’s bank needs the details of the bank account the payment was made to so they can advise the receiving bank to put a hold on the money. Invoice fraud payments are typically made into the account of what Macpherson describes as a "money mule," who will withdraw the funds and send them offshore to the hacker.

For their part, Xero customers should additionally contact Xero if they’re targeted. Macpherson says the company has procedures in place with the fraud teams of New Zealand banks to notify them of accounts being used for fraud. This is useful even in cases where no payment is made to the fraudulent account, as banks are often able to identify the money mule.

The upshot is this. Sound email security, accounting hygiene and eagle-eyed vigilance by everybody along the invoice chain is key in avoiding the worst that can happen.

Three hundred years ago, Benjamin Franklin commented that ‘an ounce of prevention is worth a pound of cure’. The advice is worth heeding because nowhere is the adage truer than when it comes to email invoice fraud.

Terry MacDonald
NZITF response to Dropbox data breach

Four years ago, 68 million usernames and passwords were released in a data breach at US file hosting service Dropbox. Only recently made public, the scale and nature of the breach has been of interest to the security community, including here at NZITF.

Importantly, NZITF members got a copy of the data that was breached to understand how New Zealand organisations were exposed and how corrective action can best be taken in future.

In addition to normal, operational efforts that NZITF members took to identify and contact the compromised Dropbox account holders in New Zealand, we examined.nz parts of the dataset to try and understand how organisations here are using file-hosting services like Dropbox.

This blog post sets out what we found.

Many New Zealand organisations use Dropbox

It was difficult to establish how many New Zealand accounts were compromised because we couldn’t search for people's gmail, yahoo or hotmail accounts. What we were able to do however was sort the data to find email addresses ending in .nz – e.g. yourname@work.co.nz or name.lastname@agency.govt.nz. There were 120,100 compromised accounts. Or, put another way, a little over 2 percent of the New Zealand population with a Dropbox account registered to a .nz domain name.

The use of Dropbox by New Zealand organisations may amount to shadow IT

We considered whether or not the use of Dropbox by the compromised New Zealand accounts was shadow IT – where IT solutions are used without organisational approval – and, if so, what kind of corporate information was sitting in unauthorised Dropbox accounts.

It was important to approach this carefully, because Dropbox does not, in and of itself, equal shadow IT. In fact, many organisations make business decisions to use Dropbox, OneDrive or Google Drive for back-ups, document sharing or working overseas.

Nevertheless, we were confident that a number of the organisations whose employees had Dropbox accounts linked to their work email address were bona-fide examples of shadow IT. It was clear from looking at the .govt.nz accounts involved in the breach how many organisations have Dropbox in their systems potentially without official IT sanction – especially given Dropbox is not an approved cloud software solution for New Zealand government IT departments.

Looking at the .nz names involved, we found that:

  • 9,600+ were from .ac.nz (academic institutions)

  • 4,200+ from school.nz

  • 1,400+ from vodafone.co.nz (most likely dominated by customer email accounts)

  • approx. 2,500 accounts were from .govt.nz domains

Of notable interest is that, apart from the 2500 .govt.nz accounts, most of the names were probably not examples of shadow IT. .ac.nz, for example, is likely to include a large amount of students and teaching assistants with university email addresses. It isn’t a huge surprise that they would use Dropbox. With the Vodafone accounts, it’s reasonable to assume these are customers using their ISP-issued email account for Dropbox.

CERT-NZ is expected to bring leadership & coordination around Dropbox-style data breaches

The news about the Dropbox data breach underscores the valuable role that the incoming CERT-NZ is expected to play.

As a trust-based membership organisation, NZITF has security professionals across New Zealand, but members aren’t spread evenly across the country. This means that there will inevitably be some organisations on data breach lists like the Dropbox list that we don't know or have a relationship with. A nationally recognised leader in CERT-NZ will bring resource and name recognition in contacting those organisations as well as running national coordination for breach notifications.

Data breaches like Dropbox are a reminder that the role of the incoming CERT-NZ will also involve coordinating and mitigating breaches in the government sector. Organisations with.govt.nz domain names include local councils, crown entities and large central government agencies. Many lack sophisticated information security teams and resources. CERT-NZ’s role is therefore expected to be doubly important in terms of data breach advice and leadership.

Strong, unique passwords make the difference

While we didn’t expend time or effort in decoding the password hashes, data breaches like Dropbox are a useful reminder about the importance of strong, unique passwords. It’s also particularly important to remind people and organisations that using two or three passwords across all their online accounts is not a good idea.

A useful resource in creating strong unique passwords can be found in Stanford University's password policy infographic. This shows how easy it is to build and remember strong, unique passwords of 16+ characters.

Get proactive about online accounts and data breaches

There are a number of services available that people and organisations can use to check if their email account has been included in a data breach – including HaveIBeenPwned. Here, users can register their email account(s) and be notified if they are involved in a breach that is made public.

HaveIBeenPwned also offers a service where users can receive domain-based alerts. This is useful for organisations, as security teams can set up alerts for anytime a work email account is breached and made public.

With over two billion accounts compromised in 2016 proactive alert services like these are a useful tool in helping alleviate concerns, and NZITF encourages all New Zealanders and New Zealand organisations to stay vigilant.

Terry MacDonald