Hackers declaring culpability for a cyber-attack on care provider UnitingCare Queensland have been confirmed as one of the largest and far-reaching cyber ransom groups in the world.
Hospitals in Australia and New Zealand have fallen victim to a huge cyber intrusion, resulting in a huge disruption to the daily operations of hospitals, patients and numerous aged care and disability services have been detrimentally affected.
The FBI continues to warn about Advanced Persistent Threat (APT) actors exploiting your online vulnerabilities. An ATP is a secret threat actor, in most cases, a nation-state or state-sponsored group. These hackers gain unauthorized access to a computer network and remain undetected for an extended period of time.
The REvil/Sodin cyber-attack on UnitingCare Queensland was made evident when UnitingCare Queensland staff struggled to gain access to online communication and patient records after several wi-fi connections stopped working. This disruption has seen UnitingCare Queensland being deferred from the national ‘My Health Record’ system which permits patients to view their records online. Although the organization has not provided in-depth information around the cyber-attack itself, it is believed to have concerned the hackers’ attempt to gain access, via vulnerabilities within the system, to important information such as private and confidential patient records. They the hacker group then used blackmail by threatening to either destroy or publish the personal and classified information on the dark web, unless the organization pays a substantial ransom sum.
So, despite numerous warnings from the Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD) and National Computer Emergency Response Team NZ (NZ CERT), why are these pernicious cyber-attacks still occurring today?
The truth is, some organizations are failing in their responsibilities to themselves and their customers by not conducting the proper and rigorous security checks needed. By using external cyber security auditors who are qualified in preventing organizations from being hacked, organizations can prevent a potentially disastrous cyber-attack from happening in the first place.
Just one single flaw of a trusted vendor can provide a multitude of opportunities for hackers to obtain access private data from both your organization and your customers. Without correct and strict procedures in place to deter malicious third parties, you are not safe.
To protect your company’s and customers confidential information against third party breach threats, you must follow preventative steps to identify and minimize risks.
Please connect with our Cyber Security Service Provider Cybernetic Global Intelligence (CGI) expert team to find out how you can secure your network from unauthorized access and keep your confidential data safe.
We are a leading Aussie cybersecurity firm with years of experience in providing outstanding cybersecurity services. You can call 1300 292 376 or send an email anytime to firstname.lastname@example.org for assistance.
The FBI identified the following indicators of compromise (IOCs) that we assess are likely associated with this APT activity.
New User Accounts
The APT actors may have established new user accounts on domain controllers, servers, workstations, and the active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:
Filename: Audio.exe or frpc.exe
Note: Identical to “frpc.exe” available at:
Note: Identical to “frps.exe” available at:
- Mimikatz (credential theft)
- MinerGate (crypto mining)
- WinPEAS (privilege escalation)
- SharpWMI (Windows Management Instrumentation)
- BitLocker activation when not anticipated (data encryption)
- WinRAR where not expected (archiving)
- FileZilla where not expected (file transfer)
Any FTP transfers over port 443
Unrecognized Scheduled Tasks
The APT actors may have made modifications to the Task Scheduler that may display as unrecognized scheduled tasks or “actions.” Specifically, the below established task may be associated with this activity:
- Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591.
- If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution denylist. Any attempts to install or run this program and its associated files should be prevented.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
- Review antivirus logs for indications they were unexpectedly turned off.
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Require administrator credentials to install software.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Use multifactor authentication where possible.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update antivirus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.