Our Take on the 2022 ACSC Annual Threat Report

One of the things a lot of cybersecurity professionals look forward to each year is the release of the Australian Cyber Security Centre (ACSC) Annual Threat report. Unlike other vendor sponsored, or produced reports, the ACSC report is an independent insight into the threats faced by Australian organisations, along with data into the types of threats and breaches reported to the ACSC. The 2022 version of the report has been released and provides interesting insight into the state of cybersecurity across Australia, covering June 2021 to July 2022.

Expectedly, the ACSC saw an increase in reporting of cybercrimes, up 13% to 76,000. This directly correlates with what the Triskele Labs team are seeing across both our Managed Detection and Response (MDR) clients, and the Digital Forensics and Incident Response (DFIR) team. Interestingly, this trend has changed in the months since July 2022, with a reduction in the number of incidents, but a considerable increase in the impact faced by organisations. We are seeing more and more instances of data exfiltration and double extortion where the network has suffered ransomware. 

One of the figures of most interest was that the ACSC themselves notified 148 entities of ransomware activity on their network. This means that either organisations were not aware of the intrusion, or were in very early stages and had not conducted eradication as yet. Where does this come from? We believe it could be from one of two locations. Either from an Internet Service Provider (ISP) or other threat intelligence partner monitoring for known Command and Control (C2) server communications by IP, or through Threat Intelligence sharing between other Five Eyes or AUKUS countries. 

Finally, another surprise was the discovery of 150,000 to 200,000 Small Office/Home Office routers in Australian homes and small businesses vulnerable to compromise. These devices are being actively exploited, including by state actors. It is assumed this is primarily Draytek routers however, the DFIR team have seen unpatched Enterprise grade firewalls also being targeted during attacks. This proves that it is imperative for organisations to have a documented Vulnerability Management procedure, and importantly a Vulnerability Management Solution such as Tenable.io from Nessus, InsightVM from Rapid7 or Qualys Vulnerability Management. Importantly, issues that are identified need to be patched on an ongoing basis.

Overall, it was of no surprise on the following stats within the report:

• An increase in financial losses due to BEC to over $98 million
  an average loss of $64,000 per report.
• A rise in the average cost per cybercrime report to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business
  an average increase of 14 per cent.
• A 25 per cent increase in the number of publicly reported software vulnerabilities
  (Common Vulnerabilities and Exposures – CVEs) worldwide.
• A cybercrime report every 7 minutes on average
  compared to every 8 minutes last financial year.

Our key takeaways from the ACSC report include:

• There are many more breaches happening on a daily basis than the ones you see in the news. While there have been around 7 big breaches reported, the ACSC themselves responded to 135 ransomware attacks. For the ACSC to be involved, these need to be large scale attacks as private industry handled most ransomware attacks. Triskele Labs ourselves have responded to over 30 cyber incidents this calendar year, including ransomware and BEC and the ACSC have not been involved. 
• Most of the successful breaches are from opportunistic attacks, rather than sophisticated ones. Most Threat Actors will scan externally facing infrastructure using tools such as https://shodan.io for known vulnerabilities they have exploits for, rather than targeting a hardened organisation. These Nation State attacks certainly occur, but make up a small percentage of breaches.
• You cannot rely on inbuilt mail protection within Office365 and need to invest in a secure mail gateway, whether this be Microsoft Defender for Email (part of E5 licensing), Proofpoint, Mimecast or similar technologies. Most of the BEC Triskele Labs have seen (and some ransomware) has come from successful phishing attacks. 
• Antivirus solutions are not up to scratch and will not provide protection against ransomware. You must be running an Endpoint Detection and Response (EDR) solution such as SentinelOne, Microsoft Defender for Endpoint or Crowdstrike to name a few. They are more cost effective than you think. Alternatively, check if your antivirus solution has an EDR component. For instance, Sophos has an add-on specifically for EDR.

If you would like to check out the report for yourself, this can be found here. As a community, we thoroughly appreciate the work done by the ACSC in protecting Australian organisations. The publication of this report provides vital insights that are not normally shared at such scale, and Triskele Labs greatly appreciates the effort that goes into producing this report on an annual basis.