Cybercrime will be a free-for-all in 2023 thanks to low-level malware tools, says industry experts

Cybercriminals have created ransomware and malware tools so easy to use that even novices will be launching cyberattacks this year at low to zero cost, experts say.

The spate of cyberattacks on companies such as health insurer Medibank Private and telco Optus have already seen the data of millions of Australians compromised in recent months.

AustCyber group executive Jason Murrell said the barriers to becoming a cybercriminal were increasingly low.

“You can actually buy the material on the dark web, whether they’d be people’s details or the kits to do something like a ransomware attack or phishing attack, at a very low cost,” Mr Murrell said.

Adam Bennett, chief executive of WA-based computer security service company Red Piranha, agreed. He said there was an entire business model centred around the creation of ransomware tools.

“There’s another layer of criminal (activity) which is building and supplying tools for the cause and they are making their money off the gangs who are then purchasing it,” Mr Bennett said.

“The tools aren’t overly complicated but… if you’re sending out 1000 (phishing) emails and getting a success rate of 3 to 5 per cent, that’s a lot of passwords and log in (details).

“Once you’ve got those details, it’s pretty easy then to log in to the system of the organisation or the individual to carry out the next stage of the attack.”

Mr Bennett, a former member of the activist hacking group Anonymous, was 2016 given a two-year suspended jail term and 200 hours of community service for targeting websites in 2012.

However, he is now putting his efforts into growing WA’s cybersecurity sector and has been recognised as a leader in the space in by the State Government, winning the 2021 WA Defence Aspire Award.

“With the changing threat landscape over the last decade and the increase in financially motivated criminal activity in the digital space, I feel it is important to put the skills I have learned over the last 20 years towards protecting people and Australian organisations in the digital space,” Mr Bennett said.

About 9.8 million former and current Optus customers had their personal information stolen last September, including at least 2.1 million customers who had at least one number from a current or expired form of personal identification compromised.

Of these customers, about 1.2 million had a current and valid form of ID compromised, while 10,000 people had details released online by the hackers.

Medibank suffered a major security breach in October when the the data of 9.7 million customers was stolen by online hackers and released online via the dark web.

The Australian Federal Police confirmed Russian cybercriminals were behind the Medibank attack.

Mr Bennett said the recent attacks should serve as a wake-up call for individuals and companies.

“This isn’t push one button, pay $500 and you’ve got a solution,” he said.

“Security is about defence in depth, so that’s layering up multiple controls.”

This included staff awareness training, breaking the cycle of password reuse, multi-factor authentications and restructuring administration privileges, he said.

Mr Murrell echoed Mr Bennett’s comments and said people needed to arm themselves with knowledge.

AustCyber group executive Jason Murrell.
AustCyber group executive Jason Murrell. Credit: Supplied/AustCyber

“Especially older people in the community who have not grown up with the technology,” he added.

Silvana Macri, founder and chief executive of Perth-based security awareness training provider Stay Cyber Safe, said she was seeing exponential growth in cybercrimes and expected 2023 would be busy.

Research from Netherlands-based VPN service company Surfshark revealed data breaches in Australia surged 1550 per cent from 107,659 in October to 1.7 million in November — largely the result of the Medibank cyber attack.

Globally, data breaches fell 70.8 per cent over the same period.

Ms Macri said people should make the “entry point” to hackers as secure as possible by questioning emails that appear too good to be true.

“Cyber gangs will be watching the data that’s available out there and asking if they could leverage some of that,” she added.

Cyber Security Minister Clare O’Neil last month announced a new cybersecurity strategy would be drawn up, detailing how the Government planned to “rise up to the challenges facing Australia”.

The changes include a new expert advisory board to be chaired by former Telstra chief executive Andy Penn, Air Marshal Mel Hupfeld and Cyber Security Cooperative Research Centre chief executive Rachael Falk.

Australians experienced cyber attacks every one to two minutes, according to an AustCyber report, with more than 740 cases reported a day in 2021.

The report also revealed the number of cyberattacks in Australia is expected to double over the next five years, while the industry will face a shortage of 3000 cybersecurity workers by 2026.

Mr Murrell said the Federal Government needed to make the process of visa applications easier to attract international cyber professionals.

“In regards to training in schools, we need to make that development path clearer,” he said.

“At AustCyber, we’re doing a lot of work with regard to making that accreditation process a lot easier.

“We’re working with universities and other industry bodies to make sure we can have a united front and a clear pathway of what it looks like to become a cyber professional.”

Originally published by: Cheyanne Enciso The West Australian, Thu, 5 January 2023 8:17PM