Quarter One Report 2021

Phishing campaigns can have a big impact on individuals through to large organisations, and can result in financial, data, operational and reputational losses. Often phishing is a precursor to other attacks and scams, like email compromise and data leaks.

Attackers are constantly evolving phishing campaigns and their attempts to gather financial and personal information can vary, meaning phishing campaigns can be tricky to spot and easy to fall for.

To help reduce the impacts of phishing on New Zealanders, CERT NZ has been working with partners to share high-confidence and actionable information about phishing incidents specifically affecting New Zealanders, and misrepresenting New Zealand brands.

The information comes from third parties and reports made to CERT NZ. CERT NZ’s team then collates and analyses the phishing data and identifies indicators of malicious activity. CERT NZ then publishes the indicators for New Zealand internet service providers, email providers and security providers.

With this information, the providers can automatically protect their customers and disrupt the identified phishing campaigns. This might include stopping phishing emails before they reach people’s inboxes or blocking user access to a phishing website.

1. Person receives a phishing email 
2. They report the phishing email to CERT NZ
3. CERT NZ analyses the report and identifies phishing activity 
4. CERT NZ verifies phishing information and makes it available to partners
5. Partners take the information and use it to disrupt phishing campaigns by blocking or stopping them.
6. Many people are now protected from the phishing campaign

In Q1, CERT NZ began working as part of an interagency approach in preparation for New Zealand’s COVID-19 vaccine roll out. The Ministry of Health appointed CERT NZ as the central coordination agency for COVID-19 vaccine-related scams and misinformation. We began reaching out to international partners in countries that were already in the vaccination phase to gain a better understanding of the cyber security risks they’d encountered.

Findings showed a range of attacks from phishing campaigns to more targeted attacks on the key operational organisations. Taking this information and pairing it with findings from other NZ agencies, we’ve gained a wider understanding of possible cyber security risks around the roll out. We’ve used this information to develop an evidence-based approach to detect and resolve anticipated cyber incidents here in New Zealand.

From here, CERT NZ has been alerting both the organisations involved in the vaccine roll-out and New Zealanders awaiting the vaccination to the possible COVID-19 vaccine-related scams and what to look out for.

During the quarter, CERT NZ identified almost 500 vulnerable Microsoft Exchange email servers and over 100 compromised email servers. The majority of the compromised mail servers belonged to small businesses, with a number of large organisations also affected.

The attackers exploited 4 newly discovered Microsoft Exchange vulnerabilities to gain access to the Microsoft Exchange Server.

The attackers begin by scanning for vulnerable targets on the internet. The attackers then send a malicious request to the server to gain unauthenticated access. Once they have access, they deploy a Web Shell (backdoor) that allows the attackers to steal data, view emails on the server as well as send emails and carry out further malicious activity like ransomware, phishing and invoice scams.

In response, CERT NZ quickly issued an advisory alerting New Zealanders to the issue and included steps to prevent and mitigate possible attacks. CERT NZ has also contacted ISPs with information on vulnerable and compromised IP addresses, and provided resources they can forward to the affected individuals and businesses.

Updates released for new critical vulnerabilities in Microsoft Exchange

Unauthorised access is when an attacker gains access to accounts without the account holder’s knowledge. In some cases the attackers gain access to an account because it has a weak or reused password, or the attacker has sourced login credentials from a data breach or phishing campaign.

Once an attacker has access they can use this to carry out a range of attacks usually for financial gain. This can include compromising an email account to distribute phishing campaigns, stealing sensitive data and intercepting bill payments and invoices.

Often businesses are targets of this malicious activity, with more and more financial transactions carried out online. One example of this in Q1, was an incident reported by a New Zealand business. They noticed a reliable customer had missed an invoice payment for tens of thousands of dollars. They called the customer who informed them they had made the payment, and paid the money to the new bank account number the business had sent them a couple of days earlier. However, the business had not sent the email to update the payment details, an attacker had accessed the business’s account and been monitoring emails for some time. Knowing when an invoice was due, the attacker sent an email pretending to be from the businesses to the customer to get the payment redirected to the attacker’s account.

The business quickly reported the incident to CERT NZ, where we helped the business resecure accounts. We also referred the loss to NZ Police who were able to freeze the attacker’s bank account and recover the money.

Although unauthorised access is a constant threat to businesses, there are simple steps staff can take to help protect your accounts.

• Encourage staff to use long strong and unique passwords across all accounts by implementing a password policy

Create a password policy for your business

• Add an extra layer of security to the login process by turning on two-factor authentication (2FA)

Protect your accounts with 2FA