19 May 2021

More hackers trying to exploit systems for money - CERT NZ

From Checkpoint, 5:12 pm on 19 May 2021

A government cyber security agency is seeing an increasing number of attacks with hackers attempting to exploit system weaknesses for money.

Clinical services across all Waikato public hospitals have been seriously affected by a cyber security incident first reported on Tuesday, with all phones and computers down.

CERT NZ incident response manager Nadia Yousef told Checkpoint attacks were coming through thick and fast lately.

"Particularly this year, it feels like there's been a real run of them."

Yousef said they had been sharing mitigation information between agencies but it often came down to simple things like long and strong unique passwords, multi-factor authentication and keeping networks updated - particularly for ransomware attacks.

READ MORE: Ransomware: What you need to know

"That will get you in front of most cyber security incidents, but the reality is that things can still slip through the cracks.

"Outside of that, we always recommend that agencies are ready for a cyber security incident like ransomware. Having good back-ups will save you in these incidences.

"If you have logs, you'll be able to figure out how an attacker got into your network and what their behaviour was once they were in there - that will help you recover from an incident significantly faster."

Waikato Hospital

Waikato DHB has been hit by a ransomware attack. Photo: RNZ / Simon Rogers

Yousef said, particularly after Covid-19, people's lives were increasingly online and relied heavily on the interconnectedness the internet afforded us.

"That also means, for financially motivated scammers, there is real opportunity to compromise organisations. We're seeing a lot of events with attackers coming through trying to exploit vulnerabilities, take over systems, and demand reparations to get out of there."

If a ransomware attack occurs, the advice from CERT NZ and the government is not to pay it.

"I can't speculate on what other jurisdictions are doing but, in New Zealand, we strongly recommend that you do not pay the ransom," Yousef said.

"There's a variety of reasons; one is that the attackers will continue doing it. If it's lucrative and it works, these financially motivated attackers will continue to do it.

"Also, we've seen a lot of cases where you pay the ransom, get your data back, and then get ransomware again. And, of course, there are incidences where you pay the ransom and you don't get your data back."

AUT department of computer science professor Dave Parry told Checkpoint ransomware was a worldwide problem.

"New Zealand is no more soft than anyone else, really... there's always a lot of activity trying to predict these attacks.

"There's a lot of filtering does go on to protect systems but when a new attack comes in, if you haven't got an identification for it, if it hasn't already been seen, then it can get through and unfortunately there's not a lot you can do about it.

"What happens with these sorts of attacks, the attacker will put some malicious software... onto the network and the network at DHBs are very, very complex. There is a very large number of applications. So in order to stop these malicious programmes from running, you effectively have to shut everything down, find and delete these malicious programmes, and you may also have to run a process from a backup to restore any files that were deleted or encrypted.

"With the very complicated systems that you have there, this takes a lot of time and the biggest risk you have is that maybe that malware has been there for a long time, and you don't want to be restoring it back onto the network by mistake...

"The problem with a lot of these attacks is ... they may have actually put this programme in some time ago and so it's in quite a lot of those backups that are there, so each of those backups has to be cleaned and checked to make sure there is nothing there that could start it all off again.

"Once you have discovered the programme that is causing the problem, it is very easy to check its signature... and you can scan... to look for that. Generally, once you have got that signature it's a lot easier."

Parry also said ransoms should never be paid because they just encouraged other attackers.