State of play: Current cyber threat landscape

The last 12-months have seen a significant increase in cyber threats targeting organisations, be it private or public organisations, both internationally and here in New Zealand. Cert NZ recently reported their January to March 2021 reported incident figures, which noted that the number of incidents referred to New Zealand Police increased by 46% compared to Q4 2020, this being associated with the increase in incidents with financial loss.

The first part of 2021 has seen a growing threat from particular types of attack targeting organisations for financial gain purposes or to severely disrupt operations, or both.

The top four of these attacks have been summarised below:

Supply chain attacks

Supply chain attacks represent a unique initial access tactic that provides malicious actors with the ability to propagate from a single intrusion to multiple downstream targets of interest.

One such local attack was the data breach at the Reserve Bank. On December 25, 2020, the Reserve Bank was the victim of a cyber-attack on the third-party file sharing application, Accellion, which the Reserve Bank used to share and store information. On an international front, there was the exploit of SolarWinds’ Orion network management software. Victims of the campaign included several U.S. government agencies and even leading technology companies such as Microsoft and security vendor FireEye.

Given the potential high return on investment for threat actors, it is anticipated these attacks will continue to threaten organisations across all sectors in 2021 and beyond.

Ransomware is becoming a front for data extortion

Ransomware continues to plague organisations with a sevenfold increase in ransomware activity in the last 12 months. Notable is the growing trend of ransomware operators threatening to or actually leaking data from victim organisations. This tactic is intended to pressure victims to pay the ransom but is also likely in response to improved security practices by companies that could negate encryption of their files by recovering from backups. What cybercriminals now do, in addition to encrypting data and systems, is to also post that data on public servers. They then not only demand a ransom but also threaten to publicly release valuable intellectual property, personal or sensitive information if their ransom demands are ignored.

A recent, local example of this ransomware tactic is the Waikato DHB incident.

Targeting the distributed corporate environment

Over the past few years, networks have been radically transformed. In simplest terms, the traditional network perimeter has been replaced with multiple edge environments including local-area networks (LAN), wide-area networks (WAN), multi-cloud, data centres, remote workers, Internet of Things (IoT), mobile devices, and more, each with its unique risks and vulnerabilities. One of the most significant advantages to cybercriminals in all of this is that while all of these edges are interconnected, often due to applications and workflows moving across or between multiple environments, many organisations have sacrificed centralised security controls in favour of performance and agility.

Therefore, threat actors are shifting significant resources to target and exploit emerging network edge environments, such as remote workers and the cloud.

Targeting the home network as a backdoor into the corporate network

While we have seen an expected spike in attacks targeting novice remote workers and vulnerable devices to gain network access, we are also beginning to see new attacks targeting connected home networks. Much of that effort is focused on exploiting older, more vulnerable devices such as home routers and entertainment systems. Compromising such devices can yield valuable information that can make social engineering-based attacks much more successful, thus gaining access to corporate devices also located on the home network.

This trend could be the final nail in the coffin of trust-based security. A continually expanding and eroding perimeter puts ever-growing importance on moving deep security monitoring and enforcement to every device—trusted or otherwise.

And in the world of privacy

It’s now been some eight months since the Privacy Act 2020 came into effect on the 1st December 2020. For the first six months of the Privacy Act 2020, the Privacy Commissioner’s Office (OPC) has been focused on educating organisations to help them understand their new legal responsibilities. However, OPC has now published its Compliance and Regulatory Action Framework which details how OPC intends to approach its regulatory and compliance activities. For details about the framework and other Privacy Act related information, you should visit the Privacy Commissioner’s site.

One of the major changes to the Act was the introduction of mandatory breach notification. A notifiable privacy breach is one in which an organisation has reasonably judged that a breach it has experienced either has caused or is likely to cause someone serious harm. As expected, in the first six months since the Act came into force there was a 97% increase in the number of breaches reported compared to the previous six months. Interestingly, more than half of the breaches reported involved emotional harm and around one third resulted in a risk of identity theft or financial harm. This shows that breaches are having real impacts on individuals. OPC has also importantly updated their guidance on the time period organisations have to notify OPC of serious breaches. There is now an expectation that notifiable breaches will be notified to OPC within 72 hours.

Other topics that are receiving increased privacy ‘airtime’ both internationally and locally include the use of artificial intelligence (AI) and facial recognition for certain uses. In particular, in Europe, the European Data Protection Supervisor (EDPS) published a white paper relating to the use of AI technologies and the enforcement of AI regulation or the specific requirements for remote biometric identification (including facial recognition). Debates to date include the call for organisations to make public AI algorithms or greater fines for misuse of AI. This potentially may impact organisations here in New Zealand that are subject to the General Data Protection Regulation, ‘GDPR’.

OPC is also reviewing the use of AI and facial recognition technologies in New Zealand, in light of recent adoption by NZ Police etc. This is likely to result in specific guidance or even facial recognition standards. Last year, Stats NZ published an Algorithm Charter for Aotearoa New Zealand. This charter demonstrates a commitment to ensuring New Zealanders have confidence in how government agencies use algorithms.

We would recommend that if anyone is using or considering projects involving AI or facial recognition technologies may wish to review them from a privacy perspective and undertake a Privacy Impact Assessment (PIA) or an Algorithmic Impact Assessment (AIA).

For further information about any of the above areas included in this summary, please contact your Client Director or in the case of Privacy related queries you can also contact TwoBlackLabs, The Instillery’s dedicated privacy services company.