Quarter Three Report 2020

Introduction

This quarter, CERT NZ received 2,610 incident reports about individuals and businesses from all over New Zealand. This report shares examples of the incidents and advice on how to best protect against them.

There are two parts to the report:

A Highlights Report focusing on selected cyber security incidents and issues.
A Data Landscape Report providing a standardised set of results and graphs for the quarter.

Quarterly Report: Highlights Q3 2020 [PDF, 775 KB]

Quarterly Report: Data Landscape Q3 2020 [PDF, 1.3 MB]

2,610 incidents were reported in Q3, up 33% from Q2.

$6.4 million in direct financial loss was reported in Q3.

34% increase in malware attacks from Q2.

101% increase in business email compromise, a type of unauthorised access.

The average number of incident reports per quarter is 1,295 and average direct financial loss is $3.6 million.

Number of incident reports by quarter

A total of 2,610 incidents reports were received in Q3, a 33% increase from Q2.

Full breakdown of incident reports for Q2 2019 to Q3 2020.

Breakdown by incident category

Phishing and credential harvesting remains the most reported incident category.

Breakdown of categories of incidents reported to CERT NZ in Quarter 3 2020

The top three reported incident categories in Q3 2020 were:

phishing and credential harvesting with 1,064 reports
malware with 886 reports
unauthorised access with 110 reports.

Incident category	Number of reports in Q3 2020
Phishing and credential harvesting	1064
Malware	886
Scams and fraud	423
Unauthorised access	112
Other	55
Ransomware	22
Suspicious network traffic	19
Website compromise	17
Denial of Service	8
Botnet traffic	3
Generic malware	1

If you have experienced a cyber security issue, report it to CERT NZ.

For more on the New Zealand threat landscape in Q3 2020, see the CERT NZ Quarterly Report: Data Landscape [PDF, 1.3 MB].

Focus area: Distributed Denial of Service (DDoS) attacks impact Kiwi businesses

Overview

This year a number of DDoS attacks have impacted both high profile organisations and small business around the country. These attacks are malicious attempts to overload an organisations online systems and take their operations offline

In Q3, CERT NZ’s data shows a high volume of attacks on New Zealand networks. Alongside incidents reported to CERT NZ, further data from The Shadowserver Foundation External Link has provided richer insights into the extent of the attacks. The data shows a series of DDoS attacks throughout the quarter, with numbers peaking at 87 attacks on unique New Zealand IP addresses in one day.

DDoS attacks on NZ networks – Q3 2020:

Type of attack and outcomes of the 4,473 DDoS attacks tracked by CERT NZ, 96% were volumetric attacks. This DDoS technique is where attackers exploit vulnerabilities in networking protocols in order to generate high volumes of traffic. This traffic is directed at the target, either the server or network, to try to overload it and make it inaccessible to users. In some of these cases the DDoS attacks resulted in the targeted organisation’s websites and services being taken offline. Alongside the organisation’s online services being disrupted, these attacks can result in reputational damage and loss of revenue.

How a volumetric DDoS attack works:

Defending your organisation against DDoS attacks

Like many cyber incidents, there isn’t a one-size fits all approach to defending against a DDoS attack. That’s why it’s important to have the right defences in place.

Best practices to defend against a DDoS attack

Protecting New Zealand from DDoS attacks

As part of CERT NZ’s role in building New Zealand’s cyber resilience, we’re working to help reduce the amount of insecure systems in the country. That’s why we’re reaching out to ISPs to alert network owners of systems that can potentially be exploited by an attacker to cause a DDoS.

There are many different protocols attackers can exploit. In the campaigns we observed in September and October, attackers exploited three protocols in particular to carry out volumetric DDoS attacks.

Protocols of DDoS attacks – Q3 2020:

LDAP (Port 389) - 62.5% (2.74K)
NTP (Port 123) - 24% (1.05K)
CHARGEN (Port 19) - 9.2% (0.4K)
Other - 4.3% (0.19K)

This quarter, there were 342 unique IP addresses in New Zealand identified with one of these three protocols that could be exploited to carry out DDoS attacks. If your organisation is running these servers, CERT NZ recommends talking to your IT service provider to make sure the servers are inaccessible from the internet and configured so they can’t be exploited. Carrying out these checks will help reduce New Zealand’s exposure to DDoS attacks.

Insight: Email users affected by Emotet

In Q3, malware reports increased by 34% making it the second highest incident category.

Malware is malicious software often spread through email attachments or links with the goal of infecting the recipient’s computer systems.

In last quarter’s Highlights Report, we explored the rise of multi-stage malware attacks. In this quarter, through direct reports from New Zealanders, and data provided by information sharing partners, these numbers have spiked. Of the total malware incidents reported 96% were attributed to the multi-stage malware variant, Emotet.

Malware reports per quarter:

Q2 2017: 49
Q3 2017: 28
Q4 2017: 29
Q1 2018: 3
Q2 2018: 6
Q3 2018: 23
Q4 2018: 48
Q1 2019: 20
Q2 2019: 14
Q3 2019: 21
Q4 2019: 20
Q1 2020: 17
Q2 2020: 29
Q3 2020: 886

Emotet is constantly being developed and is self-replicating. It spreads via emails containing a malicious attachment or link that recipient is prompted to open. If the recipient opens the attachment, Emotet is installed onto the computer, which has modules to steal data, passwords and other sensitive information. Once installed, it compromises the recipient’s email account and sends copies of the email to the recipient’s contact list to further spread Emotet. It also allows other malware and ransomware variants to be installed, like Ryuk.

In response to this spike, CERT NZ is reaching out to ISPs where reports of compromised IP addresses have been received. This enables the ISPs to alert their customers to the infection and help them respond and recover.

CERT NZ also received a large number of reports from an international partner about New Zealand email addresses that had been infected. With this information, we contacted the affected account holders directly to provide advice on how to best remove the malware from their machine and help resecure their accounts.

Protect from Emotet

To help prevent an Emotet infection, CERT NZ recommends:

Keeping anti-virus software up-to-date.
If you are unsure that an attachment is legitimate, contact the sender via phone or text to confirm.
Reporting any suspicious emails to CERT NZ

In September, CERT NZ issued an advisory about Emotet. It includes information on protections as well as steps to take if you or your organisation has been affected.

Emotet malware being spread via email

Insight: Business email compromise

New Zealanders report close to a million dollars in losses

Business email compromise is one of the most common types of unauthorised access reported to CERT NZ. Our quarter three data shows this type of attack is increasing, with 27 reports of business email compromise, up 101% from quarter two, and $944,000 in direct financial loss.

Business email comprise is when an attacker gains access to a business’s email account and carries out a range of attacks or scams, usually for financial gain. There are multiple ways attackers can get access to business email accounts, including through weak passwords, credential dumps, malicious software, and phishing campaigns. Unfortunately, attackers are increasingly sophisticated in their techniques and the compromise isn’t often detected until the attacker has successfully carried out the scam.

Business email compromise incidents – 2020:

Q1 2020: 6 incidents, $439k

Q2 2020: 13 incidents, $90k

Q3 2020: 27 incidents, $944k

Case study: Attacker intercepts business invoice

This quarter CERT NZ received a report from a business in the wholesale trade sector after an email account had been compromised.

The CEO’s email account was previously a target of a phishing campaign, where they had unknowingly entered their login credentials. Using these credentials, the attacker was able to access the CEO’s email account. Once the attacker had the CEO’s login credentials, they accessed the CEO’s email account and set up auto-forwarding rules so that all incoming and outgoing emails were automatically sent to the attacker’s account. The attacker monitored the communications for a number of weeks, the attacker became aware that the business was implementing new management software. The attacker waited for the vendor to submit their invoice, and the CEO to authorise the payment, the attacker then swapped the vendor’s bank account number to direct payment to their nominated account.

Initially the scam went unnoticed, and the invoice of $180,000 was paid into the overseas account nominated by the attacker. Unfortunately, it wasn’t until the vendor confirmed the payment hadn’t been received that the business realised the scam. They immediately reported it to their bank and CERT NZ. CERT NZ helped establish the cause of the attack and provided steps to secure the email account and help prevent any further attacks. We reported the incident and financial loss to NZ Police. Due to the amount of time that the scam went undetected, the payment wasn’t recovered.

Taking a few simple steps can help secure your business email accounts.

Protect from business email compromise

Update: Changes to the Privacy Act 2020 and vulnerable databases

The new Privacy Act 2020 comes into effect on 1 December 2020. These changes include the introduction of a privacy breach notification regime.

What this means for businesses and organisations

If a business or an organisation experiences a data breach where private information is lost or stolen, and believes this could result in serious harm, it is required to notify the Office of the Privacy Commissioner (OPC) and affected individuals as soon as possible.

Vulnerable databases and keeping your customer information safe

Unfortunately data breaches do happen, but the good news is there are measures you can take to help prevent an incident and keep your customers' information and data secure.

The upcoming changes are a timely reminder to check your business or organisation’s databases and make sure you’re doing all you can to secure customer information

We receive regular reports about vulnerable databases in New Zealand. In Q3, the top three types of databases reported to CERT NZ are Microsoft SQL (216 reports), Mongo DB (34) and Elastic Search (12).

Alongside databases, we received 6,800 reports about other technologies that are openly accessible to the internet, including File Transfer Protocol (FTP) servers.

Top three vulnerable databases with vulnerabilities – Q3 2020:

Microsoft SQL: 216
MongoDB: 34
Elastic Search: 12

Whether you operate these systems, or others, CERT NZ recommends considering whether they need to be hosted on the internet, and regularly maintaining databases to make sure information stored is secure. More information on how to implement these measures is included in our critical controls: