Growth in cybersecurity attacks against Australia outpacing global average

Imperva has new data that shows cyberattacks against Australia in 2022 has grown in both frequency and severity at a rate that outpaces the global average.

Imperva Threat Research found cyberattacks against Australia have increased significantly this year, noting an 81% increase in incidents between July 2021 and June 2022. This is a trend that grew over the 12 months, with a sharp rise in 2022. The severity of these attacks have also increased, with critical attacks more than tripling (227%) between August 2021 and May 2022. Both increases are above the global trend for the same timeframes.

The data suggests that cybercriminals see Australia and its citizens as lucrative targets. This aligns to a recent Credit Suisse Research Institute (CSRI) report, which found Australia is the richest country in the world in terms of median wealth per adult.

“Cybercriminals are targeting the personal data of Australians for financial gain - to sell, to hold to ransom, or to commit financial fraud and scams,” says Reinhart Hansen, Director of Technology, Office of the CTO, Imperva.

“During the pandemic, many organisations inadvertently created more opportunities for these bad actors. Many rushed their online implementations and transformation projects, taking shortcuts that left them vulnerable to exploitation.

“Now we’re seeing a large uptick in common, off-the-shelf and automated type attacks that hackers are continuously recycling and using against Australian targets. They are looking for known weaknesses and vulnerabilities in applications and APIs to gain access to the data repositories that sit behind them. Their ultimate aim is to exfiltrate data at scale that will allow them to build citizen profiles that are used as the basis of their illegal activity.”

The most heavily targeted industries in Australia are financial, retail, and business services. In particular, incidents targeting financial services almost tripled (189%) in the first half of this year (compared to H2 2021).

Attacking IPs mainly came from the US and Australia, which is to be expected, given that it’s common for hackers to use botnets based in the country they’re targeting. The US also accounts for a large number of infected devices and large cloud providers that attackers’ often use as infrastructure.

Automated threats doubled in H1 2022

The top three most common risks Australian organisations face are automated threats and remote code execution (RCE) / remote file inclusion (RFI). Attacks related to these risks grew in frequency between H2 2021 and H1 2022, with automated threats doubling in frequency (108%).

Risk Name

Increase from

H2 2021 to H1 2022

Description

1 Automated Threat

108%

Automated threats are usually carried out by bad bots which are software applications that run automated tasks with malicious intent. They enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. Activities include web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, denial of service, denial of inventory, spam, transaction fraud, and more.

2 RCE / RFI

57%

In an RCE (remote code execution) attack, hackers intentionally exploit a remote code execution vulnerability to run malware. An RFI (remote file inclusion) attack targets vulnerabilities in the web application to include malicious code from a remote server.

3 Backdoor Trojan

51%

A backdoor trojan is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.

 

It’s easy for attackers to aim bad bots at the information they want to steal, so bots are commonly used across the board for attacks in all industries. Financial services were heavily targeted, with bot attacks increasing almost seven fold (588%) in H1 2022 (compared to H2 2021). According to the 2022 Imperva Bad Bot Report, financial sites are heavily targeted by bad bots conducting account takeover attacks, carding, and other forms of financial fraud, which aligns with what we’ve seen in Australia over the past year.

 

When looking at account takeover attacks (ATO) in Australia, attackers mainly used brute force attacks (70%) and credential stuffing (20%). This is high compared to global trends, where these two categories only accounted for a combined 28% of ATO attacks in the same time period. This means that attackers are relying heavily on ready-made brute force tools and on leaked credentials related to Australian accounts.

Remote code execution, or RCE, followed at an almost 60% rise across the board. RCE allows attackers to execute malicious code on a targeted device, and can be used to get a wealth of information out of a system.

RCE can be modified to fit any target, and can be combined with social engineering attacks, Multi-Factor Authentication (MFA) bombing, or malware to gain easier access to the target’s system. Again, the financial industry has seen significant growth in this type of attack at 132%.

Backdoor Trojans take advantage of vulnerable components in a web application. Once installed, detection is difficult as files tend to be highly obfuscated. Web Server backdoors are used for a number of malicious activities, including data theft, website defacing, server hijacking and watering hole attacks. The retail industry has been heavily targeted with Backdoor Trojan attacks increasing 111% between H2 2021 and H1 2022.

Chart, pie chartDescription automatically generated

When looking at the OWASP Top 10 attacks in Australia from July 2021 to June 2022, RCE was the largest OWASP threat to Australian sites at 28%. Path traversal and local file inclusion (LFI) followed at 18%, and cross-site scripting (XSS) at 16%. LFI is a technique used to trick a web application into exposing files on a server, and XSS occurs when an attacker injects malicious code into a normal website. All of these techniques can all be used together to conduct a more efficient attack.

“These findings underscore the need for Australian organisations to invest in security that better aligns with the modern data driven enterprise. Today’s threat landscape requires data-centric security that spans from the network edge to applications and APIs and all the way down to the data itself. Only by protecting data and the modern online enterprise paths to that data can organisations truly defend their critical systems and maintain trust with customers, both of which are critical to success in the digital economy,” Hansen said.

For more information and data, read this blog: Imperva Threat Research Show Cyberattacks on the Rise in Australia