Quarter Four Report 2020

Since CERT NZ launched in 2017, we’ve received more than 7,200 phishing reports and worked with thousands of organisations and individuals across the country to help them recover.

Phishing campaigns can have a big impact on individuals, businesses and large organisations, and result in financial, data, operational and reputational losses. Often phishing is a precursor to other attacks and scams, like unauthorised access and data breaches.

What CERT NZ does

In Q4, 44% of phishing incidents reported were about individuals, and 19% about businesses and organisations. Where possible, our incident response team worked with the recipient to determine the impact, and provided relevant guidance to help them recover, and resecure their accounts.

The other 37% includes reports from local and international partners alerting us to phishing campaigns and harvested credentials. CERT NZ takes this information, analyses the data and reaches out to the appropriate person, agency or organisation who may have been affected.

CERT NZ also uses the information from these reports to:

• take down phishing websites
• disrupt phishing campaigns
• investigate the techniques attackers use to distribute phishing campaigns and take the findings to develop preventions and mitigations to help protect against them.

A common type of phishing reported to CERT NZ is email phishing – where attackers target large contact lists in order to reach as many people as possible. Phishing emails can be hard to spot as attackers often make them look like they’re from a well-known organisation. The emails usually replicate the organisation’s branding, use similar language and URLs, and spoof the email address to appear legitimate.

Attackers are opportunistic and often evolve campaigns in response to current events and trends in global behaviours.

For example, in Q4 we saw a spike in courier delivery phishing emails. With the festive season and increase in gift giving around the globe, CERT NZ received reports of email and text message scams claiming the recipient had a pending parcel delivery that required a small payment for release. However, there isn’t any parcel, and it’s a trick to get recipients to click on a URL, visit the phishing website and enter their credentials.

Another example in Q4 was a Zoom-branded phishing campaign. With more people working from home, attackers are targeting software that virtually connects people, like the online conference platform Zoom. Attackers sent emails replicating a Zoom meeting invitation in an attempt to get the recipient to view the invite details by clicking the link provided and entering their Microsoft Suite credentials.

Use unique passwords on all your online accounts (and a password manager to help remember them)—that way if you share your account information in a phishing attack, your other accounts won’t be impacted. You’ll only need to update the password for the compromised account.

Guide to good passwords

Use two-factor authentication (2FA) on accounts where possible. It provides an extra layer of security on your account in case your password is compromised.

Protect accounts with 2FA

Go direct. Type the url into address bar or use bookmarks to access websites rather than clicking links in emails.

Just ask. There are no silly questions, especially when it comes to your online security. If you’re unsure about an email you’ve received, it’s a good idea to check in with the sender via another method like phone or text, or run it past a colleague, friend or family member.

Report it. If you’ve received a phishing email or think you’ve responded to one, get help quickly by reporting it confidentially to CERT NZ. We’ll help you work out the steps you need to secure your accounts, and your report means we can get the message out to help protect others.

Report online

Alongside incident reports, CERT NZ monitors data provided by other sources. In Q4, CERT NZ became aware of around 2,000 New Zealand devices infected by malware variant, QSnatch. This malware variant, which first spiked in 2018, specifically targets a widely-used brand of network attached storage (NAS) devices called QNAP.

QSnatch accesses the QNAP device from the internet by exploiting vulnerabilities to bypass the device’s password protection.

Once QSnatch has access to the device, it establishes backdoor capabilities allowing the attackers to take control of the device. It then steals passwords and credentials using keylogging and credential scraping. It also stops some software from updating, which prevents the infections from being fully removed.

While QSnatch infections are persistent, our data shows that international agencies have sinkholed the command and control infrastructure’s IPs.

This means the attackers are blocked from the infected devices and are unable to send new instructions and harvest user credentials.

Although the attackers are blocked from communicating with the devices, the devices are still vulnerable to new infections. The attackers can either exploit unpatched vulnerabilities or use previously harvested credentials.

If you use QNAP or another NAS device, CERT NZ recommends:

• keeping firmware and anti-virus software up-to-date
• enabling multi-factor authentication
• configuring logging and alerting to identify suspicious activity
• securing internet-exposed services

QNAP’s QSnatch advisory External Link

How QSnatch works

Not only does this lead to a potential data breach of customer information, it can also mean reputational and financial loss for the affected organisation.

From CERT NZ data sources, the top three types of vulnerable databases in New Zealand are Microsoft SQL, MongoDB and Elastic Search, with the largest rise in Microsoft SQL databases.

CERT NZ takes an active role in analysing this information. We reach out to the organisations operating the databases to notify them of the possible vulnerabilities, and offer guidance to help secure the databases and protect their customer information.

With this information, we reached out to a central technical contact for the business to advise them of the vulnerabilities and the risk this posed to them and their customers. The business wasn’t aware of the issue and are now following CERT NZ’s recommended steps to secure their databases.

CERT NZ strongly recommends all businesses and organisations work with their IT provider to check if any databases are internet-exposed and to make sure customer information is secure. These checks include following CERT NZ Critical Controls on:

Patching software

Securing internet-exposed services