Quarter Three Report 2020

Full breakdown of incident reports for Q2 2019 to Q3 2020:

• Q2 2019: 1,197
• Q3 2019: 1,245
• Q4 2019: 1,197
• Q1 2020: 1,137
• Q2 2020: 1,965
• Q3 2020: 2,610

In Q3, CERT NZ’s data shows a high volume of attacks on New Zealand networks. Alongside incidents reported to CERT NZ, further data from The Shadowserver Foundation External Link  has provided richer insights into the extent of the attacks. The data shows a series of DDoS attacks throughout the quarter, with numbers peaking at 87 attacks on unique New Zealand IP addresses in one day.

DDoS attacks on NZ networks – Q3 2020:

Type of attack and outcomes of the 4,473 DDoS attacks tracked by CERT NZ, 96% were volumetric attacks. This DDoS technique is where attackers exploit vulnerabilities in networking protocols in order to generate high volumes of traffic. This traffic is directed at the target, either the server or network, to try to overload it and make it inaccessible to users. In some of these cases the DDoS attacks resulted in the targeted organisation’s websites and services being taken offline. Alongside the organisation’s online services being disrupted, these attacks can result in reputational damage and loss of revenue.

How a volumetric DDoS attack works:

There are many different protocols attackers can exploit. In the campaigns we observed in September and October, attackers exploited three protocols in particular to carry out volumetric DDoS attacks.

• LDAP (Port 389) - 62.5% (2.74K)
• NTP (Port 123) - 24% (1.05K)
• CHARGEN (Port 19) - 9.2% (0.4K)
• Other - 4.3% (0.19K)

This quarter, there were 342 unique IP addresses in New Zealand identified with one of these three protocols that could be exploited to carry out DDoS attacks. If your organisation is running these servers, CERT NZ recommends talking to your IT service provider to make sure the servers are inaccessible from the internet and configured so they can’t be exploited. Carrying out these checks will help reduce New Zealand’s exposure to DDoS attacks.

In last quarter’s Highlights Report, we explored the rise of multi-stage malware attacks. In this quarter, through direct reports from New Zealanders, and data provided by information sharing partners, these numbers have spiked. Of the total malware incidents reported 96% were attributed to the multi-stage malware variant, Emotet. 

Malware reports per quarter:

• Q2 2017: 49
• Q3 2017: 28
• Q4 2017: 29
• Q1 2018: 3
• Q2 2018: 6
• Q3 2018: 23
• Q4 2018: 48
• Q1 2019: 20
• Q2 2019: 14
• Q3 2019: 21
• Q4 2019: 20
• Q1 2020: 17
• Q2 2020: 29
• Q3 2020: 886

Emotet is constantly being developed and is self-replicating. It spreads via emails containing a malicious attachment or link that recipient is prompted to open. If the recipient opens the attachment, Emotet is installed onto the computer, which has modules to steal data, passwords and other sensitive information. Once installed, it compromises the recipient’s email account and sends copies of the email to the recipient’s contact list to further spread Emotet. It also allows other malware and ransomware variants to be installed, like Ryuk. 

In response to this spike, CERT NZ is reaching out to ISPs where reports of compromised IP addresses have been received. This enables the ISPs to alert their customers to the infection and help them respond and recover.

CERT NZ also received a large number of reports from an international partner about New Zealand email addresses that had been infected. With this information, we contacted the affected account holders directly to provide advice on how to best remove the malware from their machine and help resecure their accounts.

Business email comprise is when an attacker gains access to a business’s email account and carries out a range of attacks or scams, usually for financial gain. There are multiple ways attackers can get access to business email accounts, including through weak passwords, credential dumps, malicious software, and phishing campaigns. Unfortunately, attackers are increasingly sophisticated in their techniques and the compromise isn’t often detected until the attacker has successfully carried out the scam.

Q1 2020: 6 incidents, $439k

Q2 2020: 13 incidents, $90k

Q3 2020: 27 incidents, $944k

The upcoming changes are a timely reminder to check your business or organisation’s databases and make sure you’re doing all you can to secure customer information

We receive regular reports about vulnerable databases in New Zealand. In Q3, the top three types of databases reported to CERT NZ are Microsoft SQL (216 reports), Mongo DB (34) and Elastic Search (12).

Alongside databases, we received 6,800 reports about other technologies that are openly accessible to the internet, including File Transfer Protocol (FTP) servers.

• Microsoft SQL: 216
• MongoDB: 34
• Elastic Search: 12

Whether you operate these systems, or others, CERT NZ recommends considering whether they need to be hosted on the internet, and regularly maintaining databases to make sure information stored is secure. More information on how to implement these measures is included in our critical controls:

• Regularly maintaining databases
• Securing internet-exposed services