Last November, the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) published its Annual Cyber Threat Report for 2023-2024. The report summarizes the cyber threat environment facing the public and private sectors, as well as private households. The data includes trends and information on threat actor tactics and techniques as well as recommended actionable steps organizations and individuals can take to help mitigate these threats.
The report provides a concise and easily understandable overview of the regional threat environment, and we in the LastPass Labs team highly recommend it, whether you and/or your organization is based in the region or not. Of note for our customers, ACSC stated that of the cyber security incidents it dealt with, 32% of critical infrastructure-related incidents and 30% of government sector incidents, involved compromised accounts or credentials. In this post, we’ll summarize some of the highlights of the report and its recommendations that we think can be helpful to our customers.
Nation-States
The report begins with an examination of the cyber threats posed by nation-state threat actors to Australia. While the report calls out the strategic competition between the United States and China as a key driver of the overall threat environment, it also calls out cyberespionage, mis/disinformation campaigns associated with exerting malign influence, and attempts by threat actors to pre-position themselves on critical networks in the event of a conflict as issues the country is facing. The report also notes some of the more common techniques that have been associated with nation-states over the last year, including supply chain compromises. It also highlights the use of living-off-the-land techniques, in which a threat actor uses existing network tools to execute its objectives while evading detection rather than custom malware which can be easier to detect. Finally, nation-state targeting of cloud environments is also discussed as these threat actors follow organizations’ adoption of the cloud for their infrastructure.
Critical Infrastructure
Australian critical infrastructure is routinely targeted by cyber threat actors, according to the report, for the purposes of cyberespionage, financial gain, and reconnaissance and preparation for disruptive attacks in the event of a regional conflict. Phishing and brute forcing accounted for 40% of the activity that led to sector incidents based on ACSC data and utilities comprised 30% of the incident reporting. DDoS attacks were also common against critical infrastructure. The report notes that operational technology is particularly vulnerable to cyber attacks impacting the sector and provides guidance on key principles of OT cyber security as well as recommendation to mitigate potential risks. These mitigations include maintaining detailed network maps, comprehensive logs, and a robust cybersecurity awareness program for employees.
Cybercrime
As expected, ransomware (to include data exfiltration and extortion) remains one of the key threats for Australian organizations, according to the report. In particular, small to medium-sized businesses (SMBs) were disproportionately more likely to be impacted by ransomware almost twice as likely (6.2%) to be the victim of a ransomware attack compared to employees not associated with SMBs (3.2%). ASD also noted it continues to advise against paying extortion demands. Business email compromise (BEC) and fraud were also reported as major issues facing both organizations and individuals, with BEC self-reported losses totaling almost $84 million last year.
Artificial Intelligence (AI) is expected to continue to shape the cyber threat landscape on both the offensive and defensive sides. Offensively, the use AI will help lower technological barriers of entry for threat actors and make it easier for them to both circumvent network defenses and also generate more accurate and convincing phishing emails. Defensively, the report notes AI should be able to enhance detection and triage efforts by defenders against malicious emails and other phishing campaigns.
The report also calls out two particular techniques used by cybercriminals that are of particular interest to LastPass and our customers: credential stuffing (defined in the document as “the use of stolen usernames and passwords to access other services and accounts via automated logins”) and password spraying (defined as “a brute-force attack where malicious cyber actors attempt to access a large number of accounts with commonly used passwords”). We would note that the continued prevalence of these tactics is driven by their high success rates, underscoring the need for both complex, unique passwords for every account and dark web monitoring for exposed credentials whenever possible. These countermeasures, along with the use of multi-factor authentication (MFA), updating software as soon as new updates are available, and backing up important files and device settings regularly, are also recommended by ACSC.
Hacktivism
Rising global tensions lead to an increase in hacktivist activity last year. Much of this activity involved DDoS attacks, website defacement, and ideologically-motivated doxxing. As ACSC notes, these threat actors are typically less technically sophisticated than their nation-state and cybercriminal counterparts, but the continued advancement of malware-as-a-service and other cyber attacks tools for purchase, in addition to the above-discussed use of AI to lower barriers of entry, allows these threat actors to “punch above their weight” and present a continued threat to targeted individuals and organizations.
Resiliency
After discussing the overall cyber threat environment, the report discusses steps organizations and business can take to protect themselves. The recommendations are comprehensive and include links to further documentation on how to enact them, but highlights include securing edge devices like routers, supply chain awareness, the implementation of secure-by-design, using phishing-resistant multi-factor authentication (MFA), and maintaining robust logs for monitoring and forensics. It also outlines the ASD’s “Essential Eight,” which prioritized mitigation strategies. These are:
- Patch applications
- Patch operating systems
- Multi-factor authentication
- Restrict administrative privileges
- Application control
- Restrict Microsoft Office macros
- User application hardening
- Regular backups
Finally, the report discusses the importance of collaborative partnerships between the public and private sectors and outlines the numerous programs available to organizations seeking to take advantage of these services. These services are focused on helping organizations advance their cybersecurity in general and include maturity assessments, remediation and uplift programs, and a Cyber Threat Intelligence Sharing Platform that allows organizations to share and receive anonymized and curated indicators of compromise. We highly recommend organizations in the region review these programs and take advantage of those that they can.
Conclusion
Again, we would highly recommend organizations and individuals review the document to get a detailed and custom understanding of the threat environment in the region and to understand both what steps they can take to mitigate these threats to the greatest extent possible. The report also outlines what government programs are available to help them. This is especially critical for individuals and SMBs that may not necessarily have the inherent resources or expertise available to larger organizations, allowing them to rapidly advance their cybersecurity posture with a limited investment of time and money.
