13 December 2022
A year of lows and highs
2022 has been a big year for cyber security, with several incidents from around the globe hitting headlines. Naturally, this has led to increased concern about security here in Aotearoa.
While there was a downward trend in reporting at the beginning of the year, this is largely attributable to the significant spike in the number of reports CERT NZ received in the last quarter of 2021 from the Flubot malware that was affecting New Zealand. A spike of almost 4,000 reports in Q4 2021 went down to about 2300 and barely 2000 reports in Q1 and Q2 of 2022 respectively. Reports to CERT NZ began to rise again in the second half of the year.
The reason behind the drop in Flubot reports was a collaborative effort between Europol and law enforcement agencies from 11 countries. This dealt a heavy blow to Flubot by shutting down its infrastructure, resulting in a drastic decrease in reports of that malware.
Financial loss also saw an initial decrease at the start of the year, from a then record $6.6 million in the last few months of 2021, down to $3.7 million in the first quarter of 2022. Since then, however, losses reached the highest amount ever reported to CERT NZ in a single quarter: a staggering $8.9 million in Q3.
There were a few reasons for this including some very large individual losses and increase in the type of incidents that lead to financial loss. This sort of variance can happen and while CERT NZ isn’t complacent about this loss, we don’t expect the same loss to occur year-on-year.
2022 cyber security incidents
We observed new techniques and tactics across many common scams including phishing, phone scams, online shopping scams and romance and investment scams.
Throughout the year, CERT NZ has seen phishing incidents that start with an email or text but instead of directing the target to a link or file, the target is told to call a number. The wording of these types of phishing emails usually claims the target has renewed a subscription for anti-virus software and that they will need to call a specific number to cancel that renewal. If they call, they will later be targeted for phone-based scams that are unrelated to the original email they received.
Speaking of phone call scams, unfortunately these have been more successful this year, due to sophisticated scammer tactics.
We saw several scammers using spoofing techniques to make it appear as though they are calling from an organisation’s legitimate number. Naturally, this gives targets a false sense of security.
CERT NZ reminds people that if you receive a call and caller asks you to install remote-access software or asks you to provide sensitive information like your username and password, it is very likely a scam. In these cases, hang up the call and call that organisation directly.
Scams don’t only come in the form of an email or calls though. In fact, WhatsApp has been the primary platform for the new “Hey Mum” scams.
These scams typically involve an out-of-the-blue message, claiming to be from a close relative, usually a son or daughter. The fake relative claims their phone is broken – which is why they’re contacting you from a different number – and will ask you to help them with a payment as they either have an issue with their credit card or finances.
Unfortunately, if you provide your financial details, the scammer can walk away with your money. If you are contacted by someone claiming to be a family member on a different number than normal, try to contact them to verify, or otherwise check it’s a valid message. This includes using their normal number which is probably still working.
Ransomware continue to be one of the most damaging incidents an individual or organisation can be hit with, and CERT NZ received about 30 reports of ransomware in 2022.
A large portion of the ransomware incidents reported to CERT NZ have been related to Deadbolt ransomware (a type of ransomware that targets network attached storage devices), with the second most reported variant being Lockbit 2.0.
This is a good time to mention the security controls that are critical in minimising the potential impact of a ransomware attack.
Implementing network segmentation and the principle of least privilege in your environment are two such controls that can help to minimise how much of your environment an attacker can access, even after gaining unauthorised access. Preventing access is still the preference, of course, and for that look no further than implementing good multi-factor authentication and patching policies across your networks.
These are all part of CERT NZ’s 10 Critical Controls which are created annually based on reports from the previous year.
International Landscape and Notable Incidents
This year has also been an interesting one for international incidents.
It kicked off with some follow-on work to tidy up from last December’s ‘gift’ of Log4Shell (Log4J). We had a slight scare a few months later in March with some hype around a similar vulnerability in the Spring Framework. Thankfully that was more difficult to be exploited, as it had some particular requirements for exploitation, and we saw very little about it after the initial hype.
Top of mind for many of us this year has been the conflict in Ukraine. Thankfully, there were few effects on us here in New Zealand (though the timing does have some corelation with a lull in incidents earlier this year). The more interesting thing to come out of this in the cyber security area was the way in which some organisations and nations were targeted and the rise in “hacktivism” across the globe.
We also noted that some criminal or vigilante groups aligned one way or the other to side with the states primarily involved in the war which was not something we had seen at such a scale before. As the war continues to play out, we remain aware of this environment and monitor the parts of it that involve cyber security or may impact our corner of the world.
More recently we have seen some high-profile incidents across the ditch involving personal data.
Despite being Australian, the Optus and Medibank breaches gained a lot of media attention in New Zealand. These two incidents were quite different in nature but had similar fallout in the way personal data of customers has been the primary impact from them.
These are all very timely and pertinent reminders of how important security should be for businesses and the considerations that should be given to the customer data that is held by organisations.
Looking towards 2023
There’s a lot going on at CERT NZ at the moment.
Over the next year we will, as always, be hard at work providing advice and support to those experiencing security incidents. We also have some exciting work underway that will be improving and increasing the level of service we currently offer to both individuals and business. Alongside this are other efforts looking into understanding and improving Aotearoa’s cyber resilience and enabling smoother online reporting.
We expect attackers will continue to evolve and develop in the new year. There will be new tactics, more vulnerabilities and shifts in the threat landscape.
If you have a cyber security incident, report it to us so we can help you recover, and give specific advice about how to prevent it from happening again. We have advice to help you defend yourself, and there’s more coming in the New Year. No matter if you’re at home or at work, CERT NZ is here to help.
When it comes to keeping things safe and secure online, perfect security is hard, but getting the basics right will put you in a solid security position.
As the first port of call, check out our list of cyber security tips for individuals.
If you have a small to medium business, we have a separate list of 11 tips for your business.
And for the IT professionals, keep an eye on our critical controls, already mentioned above, for guidance on what to consider when building and protecting the networks and systems in your care.