Australia’s premier cyber security agency has joined forces with its “Five Eyes” partners for the first time to issue an unprecedented warning about the vulnerabilities cyber hackers are exploiting in the wake of a series of hacks by China.
In a joint statement with its sister agencies in Britain, Canada, the United States and New Zealand, the Australian Cyber Security Centre released advice on the top 30 cyber security vulnerabilities being exploited by hackers over the past 18 months.
The five agencies released the advice partly in response to a wave of hackings orchestrated by China’s Ministry of State Security in which it also paid criminal groups to conduct ransomware attacks to extort millions of dollars from companies. The attack on Microsoft Exchange software topped the list of the biggest vulnerabilities exploited so far in 2021.
Australia last week took the rare step of joining with key allies to formally accuse Beijing of the co-ordinated hackings and engaging contract hackers to steal intellectual property in the attacks, which began in January.
The attacks on Microsoft Exchange software allowed hackers to gain access to the email systems of thousands of users, including in Australia.
The Chinese embassy in Australia rejected the allegations, saying Australia had its own poor record on cyber attacks and was like a thief crying “stop the thief”.
The five agencies warned on Wednesday night that the increased use of remote work options, such as virtual private networks (VPNs) and cloud-based services, had provided more opportunities for cyber attackers. Four of the most targeted vulnerabilities in 2020 related to remote working, VPNs, or cloud-based technologies.
ACSC head Abigail Bradshaw said malicious cyber attackers would continue exploiting weaknesses in everyday products, including Microsoft Office, “unless vulnerabilities are urgently addressed”.
“If Australians become a victim of cyber crime, the ACSC is always ready to offer help and is a one-stop shop for reliable and easy-to-follow advice,” she said.
Eric Goldstein, executive assistant director for the US agency CISA, said organisations that apply the best practices of cyber security, such as “patching”, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks. A “patch” is a set of updates to a program or software that addresses vulnerabilities to better withstand a cyber attack.
“In cyber security, getting the basics right is often most important,” Mr Goldstein said.